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ABSTRACT 


The ubiquity of cellular technology has woven a variety of services, now axiomatic, into 
modern social fabric. Among those services is the ability to provide mobile user location. 
Applications of these location-based services include providing directions, emergency ser¬ 
vices, fraud protection, and direct marketing. This work provides in-depth analysis of 
cellular positioning, which leverages the Long Term Evolution (LTE) signaling plane tim¬ 
ing advance (TA) parameter for the end of user geolocation. Additionally, we propose a 
novel method of augmenting TA-based positioning. Cellular Synchronization Assisted Re¬ 
finement (CeSAR). We simultaneously show CeSAR to be a network performance multiplier 
and security vulnerability vis-a-vis the method’s electromagnetically passive nature. Eur- 
thermore, we demonstrate how CeSAR improves positioning by adding system information 
and mitigating the effects of poor network infrastructure geometry. Through robust statisti¬ 
cal analysis, we derive a theoretical lower bound on TA-based positioning and demonstrate 
that a statistically efficient estimator is possible in this context. Eurthermore, numerical 
studies are conducted with synthetic and empirical data. The real-world data are observed in 
actual network deployments found in geographically diverse environments, such as Mary¬ 
land and California. The results not only demonstrate the efficiency of the estimator but 
show that accuracy on the order of tens of meters is possible. Indeed, TA-based positioning 
is shown to be accurate on the order of 40 m in some scenarios. Additionally, we demon¬ 
strate that CeSAR is able to passively provide improvements ranging from 10 to 254 m over 
TA-only positioning. 
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Executive Summary 


Over the past decade, the world has seen a dramatic increase in web-based interconnected¬ 
ness, which stems largely from the proliferation of cellular technology. Cellular technology’s 
role in connecting mobile users has ushered it into a golden age of relevance in the research 
community. Cellular technology is thus the focus of network and security researchers alike. 

Providing a user location within the context of cellular networks has also long been the 
subject of study and marketed as location-based services (LBS). The nascence of LBS is such 
that it has been estimated that the general application of this technology for non-emergency 
services will generate approximately 15 billion dollars annually [1]. This economic boon 
has fueled this direction in mobile device location and the creation of the current corpus 
of research. Applications of LBS include location-sensitive billing, fraud protection, asset 
tracking, fleet management, surveillance [1], and various other services for autonomous 
vehicles and wireless networks. Marketing applications also abound, exploiting a user’s 
location for directed advertising and promotions [2]. Finally, as the social fabric of our 
society extends into digital domains, services like Facebook and Foursquare increasingly 
leverage LBS to share information about a user’s location. 

We propose a novel method of passive subscriber geolocation inside a cellular network. 
Due to the ubiquity of the Long Term Evolution (LTE) standard, we focus specifically on 
this technology but acknowledge that the methodology could easily be translated to other 
protocols such as the Worldwide Interoperability for Microwave Access (WiMAX). In the 
context of ETE, we submit the signaling plane and specifically the timing advance (TA) 
parameter to this end of user geolocation. This parameter is primarily responsible for 
managing user mobility in various time division multiple access-based cellular networks. 
Specifically, this is accomplished via the TA by advancing or retarding a mobile device’s 
uplink transmission time relative to the device distance from the serving base station. In 
this way, as mobile devices move throughout the serving area uplink collisions resulting 
in changing propagation delays are mitigated [3]. It is, however, well-known that the 
TA can be used to estimate mobile equipment distance from serving base stations [4]. 
Despite this, there is not a rigorous analysis of the best possible positioning accuracy of 
this method. Additionally, we propose a method of augmenting TA-based positioning. 




Cellular Synchronization Assisted Refinement (CeSAR), to further improve the accuracy 
of TA-based positioning. 

CeSAR is an entirely passive method of augmenting TA-based positioning with a simple 
sensor located in the serving cell. At the heart of CeSAR is the ability to glean additional 
distance information from the TA by learning when the user is scheduled to transmit an 
uplink burst. This enables measurement of the time of flight of that uplink burst from the 
user to the sensor. This information can be combined with the standard user to base station 
distance traditionally inferred from a TA. 

In this work, we examine the TA as a means to position estimation both with and without 
CeSAR augmentation. We provide new complementary statistical analysis of the TA from 
which is derived a lower bound on TA-based position estimation. Furthermore, we use this 
analysis to show how certain parameters of LTE have indirectly resulted in it being possible 
to provide a consistently accurate position estimate. This has not been possible in older 
standards such as the Global System for Mobile Communications (GSM). We use simulated 
and real-world data collected in existing modern LTE networks to validate assumptions 
about the error distribution of TAs, the lower bound on positioning accuracy, and TA-based 
positioning accuracy with and without CeSAR augmentation. In these studies, significant 
attention is given to TA-based geolocation in future heterogeneous networks. Our analysis 
and field experimentation suggest that accuracies of 40 m to 120 m are possible. 
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CHAPTER 1: 
Introduction 


Over the past decade, the world has seen a dramatic increase in web-based interconnected¬ 
ness enabled largely through the proliferation of cellular technology. Cellular technology’s 
role in connecting mobile users has ushered it into a golden age of relevance in the research 
community. Cellular technology is thus the focus of network and security researchers alike. 

The attention cellular technology has garnered from network researchers is fueled by the 
public’s insatiable appetite for faster data rates. Indeed, some estimates project a 1000-fold 
increase in cellular network capacity over the next several years [1]. Currently, in North 
America, a LTE subscriber uses approximately 3.7 GB a month. Over the next five years, 
the average LTE user’s data consumption is expected to increase to 22 GB a month [2]. 
Increasingly, the solution to this capacity demand is centering on the Long Term Evolution 
(LTE) and LTE-Advanced (LTE-A) protocols as the specific enabling technologies. To wit, 
LTE subscribers are projected to increase from 1.1 billion in 2015 to 4.3 billion over the next 
five years [2]. Additionally, LTE-A subscriptions are projected to increase to 500 million 
by 2018, making massive data rates expected from LTE-A a global reality [3]. Given these 
projections, it is easy to see why network researchers continue to probe the boundaries 
of achievable cellular capacity. Due to the prevalence of LTE, we frame our discussion 
throughout this work in the context of this specific protocol, while acknowledging the 
potential for the translation of fundamental ideas to other technologies (e.g.. Worldwide 
Interoperability for Microwave Access [WiMAX]). 

The burgeoning ubiquity of cellular networks has also been the impetus for research not 
directly related to increasing capacity. Specifically in the arena of positioning in cellular 
networks, the Eederal Communication Commission’s (ECC) E-911 mandate has been es¬ 
pecially prevalent in stoking the research [4]. This mandate enables emergency services by 
requiring cellular operators to provide the location of a cellular device with specific bounds 
on accuracy. Put forth in a series of phases, the mandate ultimately requires accuracy to 
within 100 m 67% of the time and 300 m 95% of the time for network-based techniques, 
and 50 m 67% of the time and 150 m 95% of the time for handset-based techniques [5]. 
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This work in cellular positioning likely served as inspiration for applieation of this teehnol- 
ogy in other related areas generieally termed loeation-based serviees (LBS). LBS is a naseent 
use of positioning teehnology; it is estimated that the general applieation of this teehnology 
for non-emergeney serviees will generate approximately 15 billion dollars annually [6]. 
This eeonomie boon has fueled this direetion in mobile deviee loeation and the ereation of 
the eurrent eorpus of work (e.g., [6]-[10]). Applieations of LBS inelude loeation-sensitive 
billing, fraud protection, asset tracking, fleet management, surveillanee [6], and various 
other serviees for autonomous vehieles and wireless networks. Marketing applieations also 
abound, exploiting a user’s loeation for direeted advertising and promotions [10]. Finally, 
as the soeial fabrie of our soeiety extends into digital domains, serviees like Faeebook and 
Foursquare inereasingly leverage LBS to share information about a user’s loeation. 

However, as the eellular market eareens towards massive data rates, the market and researeh 
eommunity would be wise to eonsider the seeond order effeets of these teehnologieal 
advanees. Specifically, user privaey is an emerging eonsideration. In the eontext of LBS, 
the mieroeosm of user location privaey is of partieular interest. Privaey ean be defined 
as [11] “the elaim of individuals, groups, or institutions to determine for themselves when, 
how, and to what extent information about them is eommunieated to others.” The seope 
of this definition ean be further refined to eonsider only loeation privaey as “the ability to 
prevent other parties from learning one’s eurrent or past loeation” [12]. These definitions 
subsume ideas many hold about privaey and simultaneously give pause when loeation 
data sets are used in applieations sueh as soeiologieal and market studies, optimal eell 
tower plaeement, or traffie monitoring [13]. Despite the faet that these data are usually 
anonymized, it has been shown that that anonymity may not be as strong as previously 
thought. For instanee, remarkable preeision has been demonstrated in deanonymization 
attaeks that use eomputational means sueh as Markov modeling in attributing speeifie users 
to anonymized data [13]. 

As teehnology moves forward, preserving these definitions of privaey beeomes more obseure 
and less axiomatie. This difheulty stems from two points. First, the preservation of privaey 
is obseure beeause it is nuaneed in implementation. One of the main objeetives of this 
work is to demonstrate how privaey is eonneeted in ways that are not direetly obvious to 
seemingly unrelated network parameters. Second, the preservation of loeation privaey is 
less axiomatie beeause users are either not aware of the dangers to their privaey or are 
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apathetic to these dangers. For instance, one study [14] reported that 250 users willingly 
turned over two weeks’ worth of their driving GPS data in return for a 1 in 100 chance of 
winning a $200 MP3 player. Furthermore, of the 250 individuals in the study, 97 were asked 
if their data could be shared with a third party and only 20% refused. The trend indicated 
by this study is representative of other similar studies [15]-[17]. 

This work addresses the problem of mobile device location in cellular networks. To this 
end, we enumerate several objectives framed from two different perspectives: the network 
operator’s perspective and the vulnerability analyst’s perspective. First, from the network 
operator’s perspective, we seek a cellular geolocation solution with the following two 
requirements: 

1. An accurate position estimate. 

2. A minimal impact on network performance. 

The first objective follows as an ad oculos requirement since it is obvious that a more 
accurate position estimate is preferable compared to a less accurate estimate. However, 
more accurate position estimates usually come at a cost. For instance, in the case of 
certain positioning schemes that will be detailed later, accuracy may be bought by spending 
more time training a model [18], [19]. Therefore, rather than search for the most accurate 
position estimate, we seek the position estimate that is accurate enough in light of the 
second requirement. For instance, in the context of social media, a position estimate that is 
accurate to within 50 m may be preferable to a position estimate that is accurate to 10 m if 
the former estimate can be made with no impact to the network performance. To the point, 
it may be that the latter estimate requires interfacing with the network, perhaps to exchange 
positioning requests or to send a reference signal. This exchange requires network resources 
that could otherwise be used for raw data throughput. It is in these scenarios where our 
solution space lies. 

Next, from the perspective of the vulnerability analyst we examine the cellular protocol to 
the end of evaluating its ability to preserve a user’s location privacy. Specifically, we seek 
to answer the following questions: 

1. To what extent is a user’s location information leaked in LTE cellular side channels? 

2. What is the cost of accessing location information leakage in LTE? 
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Location privacy and the accuracy of the position estimate are intrinsically linked in that 
they are at least inversely proportional [20]. This inverse proportionality follows from 
the fact that as information about a user’s whereabouts becomes more accurate that user’s 
privacy necessarily decreases. Thus, as the first question from the security analyst’s per¬ 
spective is answered, the parameters constraining the network operator’s first requirement 
are constructed. We will later show that, in particular, the signaling plane carries a sig¬ 
nificant amount of location-based information. Moreover, this information is available in 
plaintext to any passive listener lowering the cost of observation and making the observation 
reasonably covert. 

We then proceed with this dual perspective. In both cases, the most accurate solution 
is required such that passive observation is still preserved. We begin in Chapter 2 with 
some necessary preliminaries, such as the wireless channel model that will frame the 
discussion in the remainder of the work. Chapter 2 then concludes with a survey of modern 
positioning schemas, including the positioning protocol currently specified by the LTE 
standard to provide mobile user location. The proposed solution approach is then introduced 
in Chapter 3. We begin to explore in detail our solution approach in Chapter 4 where we 
introduce the main mechanism on which our approach will rely, the LTE signaling plane’s 
timing advance (TA) parameter. Chapter 5 then details CeSAR, an entirely passive method 
by which more information can be gleaned from the TA in order to improve the position 
estimate. Next, in Chapters 6 and 7, we conduct a rigorous statistical analysis of TA-based 
positioning. This analysis will reveal an analytical lower bound on achievable performance 
and show how, with the advent of tighter timing alignment that supports higher data rates, 
ETE has turned a statistical corner. An indirect result of more strict timing alignment is a 
much more consistent leak of location-based data than some of the legacy cellular standards 
like the Global System for Mobile Communications (GSM). The analytical results will then 
be evaluated in Chapter 8 through the use of synthetic and empirical data. It will be shown 
that a statistically efficient estimator for TA-based positioning is possible, and expected 
performance bounds for the proposed scheme will be developed. The present work and 
major contributions are summarized in Chapter 9 before suggestions for future work are 
discussed. 

The contents of this dissertation have been revised from previous work already published or 
in publication by the author. Specifically, Sections 2.1, 2.2.4, 2.2.5, 4.8, 5.3, and 8.1.2 are 
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revised from “Loeation Privacy in LTE: A Case Study on Exploiting the Cellular Signaling 
Plane’s Timing Advance” by John Roth, Murali Tummala, John McEachen, and James 
Scrofani to be published in the proceedings of the 50* Hawaii International Conference 
on System Sciences in January 2017 [28]. Sections 2.3, 4.1-4.6 and 8.1.1 are revised 
from “Cellular Synchronization Assisted Refinement (CeSAR): A Method for Accurate 
Geolocation in ETE-A Networks” by John Roth, Murali Tummala, and James Scrofani 
published in the proceedings of the 49* Hawaii International Conference on System Sciences 
in January 2016 [24]. Sections 4.7, 6.1, and 6.2 are revised from “Maximum Eikelihood 
Geolocation in ETE Cellular Networks Using the Timing Advance Parameter” by John 
Roth, Murali Tummala, John McEachen, James Scrofani, and Robert DeGabriele to be 
published in the proceedings of the 10* International Conference on Signal Processing 
and Communication Systems in December 2016. Sections 5.1, 6.4-6.9, and 8.3.2 are 
revised from “On Eocation Privacy in ETE Networks” by John Roth, Murali Tummala, John 
McEachen, and James Scrofani which has been submitted for publication. 
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CHAPTER 2: 
Background 


In this section, we present the necessary background and review the current state-of-the-art 
in wireless geolocation. First, we introduce the wireless channel as a necessary preliminary. 
This is the channel model that the remainder of the background and the main body of 
presented work itself, will reference. Next, we introduce various methods of positioning in 
the context of cellular networks. Finally, we introduce the current method of positioning in 
our target technology, LTE. 

This section includes material adapted from work previously published by the author. 
Specifically, Section 2.1 is revised from “Maximum Likelihood Geolocation in LTE Cellular 
Networks Using the Timing Advance Parameter” by John Roth, Murali Tumala, John 
McEachen, James Scrofani, and Robert DeGabriele to be published in the proceedings 
of the 10* International Conference on Signal Processing and Communication Systems 
in December 2016 [21]. Sections 2.2.4 and 2.2.5 are revised from “Location Privacy 
in LTE: A Case Study on Exploiting the Cellular Signaling Plane’s Timing Advance” 
by John Roth, Murali Tummala, John McEachen, and James Scrofani to be published 
in the proceedings of the 50* Hawaii International Conference on System Sciences [28]. 
Section 2.3 is revised from “Cellular Synchronization Assisted Refinement (CeSAR): A 
Method for Accurate Geolocation in LTE-A Networks” by John Roth, Murali Tummala, 
and James Scrofani published in the proceedings of the 49* Hawaii International Conference 
on System Sciences in January 2016 [24]. 


2.1 Channel Model 

In this section, we describe the wireless channel mathematically in the context of distance 
estimation. We pay specific attention to errors associated with standard distance estimation, 
TA-related error, and non-line-of-sight (NLoS) channels. 

In positioning-based models, a common overall representation of the distance relationship 
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between an anchor point and a position to be estimated is given by 


d = d + € ( 2 . 1 ) 

where d = [di, d2,..dNV are the observed measured distances from the N base stations, 
termed in the LTE lexicon enhanced node-Bs (eNBs), d = {d\, d2,..d^^ are the actual 
distances, and ^ = [^\,^2, ■ ■ - are the set of errors corrupting the true distances. 
Distance is defined as d =|| po - P/ || where || • |i is the Euclidean norm and po = [xq, yo]^ 
is the actual location of the position to be estimated and p/ = [x,-, yiY is the position of the 
anchor point or base station. We hereafter refer to anchor points exclusively as eNBs 
and the mobile device whose position will be estimated as user equipment (UE) in keeping 
with the cellular vernacular. The set of measured distances d are then used to determine a 
position estimate via 

P = f(d) (2.2) 

where /(•) is some function making use of available information and p = [x, y]^ is the 
position estimate. Eor our application, /(•) represents a fusion of the observed data in d. 

The noise vector ^ is the source of distance estimation error which virtually guarantees that 
II Po - P II > 0, and is of particular interest in all types of wireless positioning. As a first 
approximation of let 

= Xi (2.3) 

such that Xi ~ A/'(0, cr^) is a normal zero-mean random variable (RV) with some variance 
This is typically used to model measurement noise and may be appropriate in some 
channel conditions, for example, if a line-of-sight (EoS) condition exists between the trans¬ 
mitter and receiver [7]. EoS conditions imply that there are no physical obstructions between 
the transmitter and receiver in the wireless channel. Common applications of this simplified 
noise model include the global positioning system (GPS) and rural multilateration. 

Next we expand on (2.3) in order to describe a ^ that is tailored to errors associated with 
TA-based ranging measurements. The TA is a control plane parameter used by the network 
to take into account propagation delay between a UE and eNB when synchronizing the 
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(a) Multipath (b) NLoS 

Figure 2.1. The difference in a multipath and NLoS channel 


UE’s uplink burst^ [22]. The TA is a discrete quantity, thus the error associated with the 
TA ranging measurement is classically approximated as essentially a quantization noise 
term. Specifically, in LTE, the TA has a quantization interval of 78.125 meters [23], [24]. 
Therefore, under this ideal model, error can be modeled as 

(2.4) 

where is the quantization error associated with the TA measurement error. This 
simplification of TA-based error is nuanced, and thus, a significant body of the present 
work is dedicated to bringing to light the conditions under which this assumption can be 
made. Commonly, this error is modeled ideally as a uniformly-distributed RV [24]-[26]. 
However, for realistic applications, this model alone may not hold. Research in GSM 
and LTE networks has shown that the TA may be more accurately modeled by a normal 
distribution [27]-[29] or approximately normal distribution [21], as described by 

= Xi + (2.5) 

which is consistent with the empirical data presented in this work (cf. Chapter 4). This 
indicates that the TA transition areas are not hard transitions as commonly assumed, but 
rather have fuzzy boundaries or transition zones. This can be explained by time-varying 
channel conditions as well as errors associated with distance estimation at the cNB (which 
is ultimately responsible for calculating the UE distance and issuing a TA). 

In some use cases, the error cannot be accurately modeled by (2.5) either. Eor instance, 

'Further analysis of the inner workings and details of the TA will be the exclusive subject of a subsequent 
chapter. 
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in physically dense environments (e.g., urban canyons), the channel is often polluted by 
buildings, skyscrapers, and the like, which obstruct the LoS from the UE to the eNB. At 
the very least, this results in a multipath scenario, shown in the left pane of Figure 2.1. In 
multipath propagation, the signal arrives at the receiver via at least one reflected path, which 
will travel some non-minimal distance. There may be a LoS component; however, it is not 
guaranteed to be the strongest of the arriving signal components. For instance, two reflected 
paths may add constructively at the receiver to provide a combined signal strength larger 
than that of the LoS component. In severe cases, there will be no LoS component, as in the 
right pane of Figure 2.1, and the channel can be described as non-line of sight (NLoS). In 
these scenarios, the distance error will always be positively biased, since all signal paths 
travel some non-minimal distance, and the noise model can be extended such that 

= Xi + + Vi (2.6) 

where 77 / is some positively-biased RV representing the error associated with NLoS con¬ 
ditions between the UE and the eNB. Popular models for rj include an exponential 
distribution [30], a uniform distribution [31], a positively-biased normal distribution [7], 
[27], [30], and a Rayleigh distribution [30]. Common applications of this NLoS noise 
model include positioning in dense urban environments or indoor scenarios. 

Given (2.6), ^ is a random vector where the probability density function (PDF) of each 
element is the result of a double convolution 


P 5 (^/) = PxiXi) * PaM * PNiVi)- (2.7) 

Depending on what distribution types are used for each RV a closed-form solution for pe(^) 
may not be possible. For now we leave these distributions as generically defined and later 
ascribe specific distribution types to them.^ 

2.2 Approaches to Positioning 

In this section, we provide a brief taxonomy of relevant traditional techniques in wireless 
localization. We then provide a review of previous work in TA-based positioning. For 

^This section was revised from [21]. 
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the purposes of our taxonomy, the positioning system will eonsist of several eNBs whose 
positions are known and a target to be loeated. Additionally, the target is assumed to be 
emitting a radio frequeney (RF) signal with known eontent and transmit power. 

2.2.1 Multilateration 

The first elass of positioning solutions in our taxonomy is multilateration. In this solution 
approaeh, the distanee of the target is estimated from several eNBs. Those distanee estimates 
are then fused into a position estimate via some nonlinear funetion, /(•)• The first of the 
multilateration-based teehniques measures the reeeived signal strength (RSS) from multiple 
eNBs. Beeause the strength of the signal is known a priori, a path loss model is used to 
estimate the eNB-target distanee. This reeeived signal strength model leans heavily on an 
exaet known broadeast strength and an aeeurate model of the path loss X [7], [8] elassieally 
deseribed by 

(AndX 

X = yl01 ogl^j (2.8) 

where d is the is the propagation distanee, the path loss exponent y models the propagation 
environment, and the wavelength A is set by the transmit frequeney. 

A position ean also be estimated through multilateration via time-of-arrival (ToA) ealeula- 
tion. This solution leverages knowledge of the signal’s time of flight and propagation speed 
to ealeulate the eNB-target distanee to produee a eireular loeus sueh as that shown in the 
left pane of Figure 2.2. Beeause this teehnique is highly sensitive to variations in time, 
it assumes a very preeisely synehronized system. Notably, not only do the eNBs need to 
be synehronized in time, but the target must also be synchronized [7], [8]. The position 
estimate is then made by some means from the resulting system of equations 

(x-xif + (y - y\f = d\ 

{x-x2f + {y - yif = ^2 

(2.9) 

{x - XNf + (y - yNf = 

which, if any error is present, will likely be inconsistent for A > 2 eNBs or underdetermined 
for all other N. 
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(a) ToA Si RSS (b) TDoA & FDoA 

Figure 2.2. The locus geometry for different multilateration-based position¬ 
ing schemas. Note that for the TDoA and FDoA techniques, - 1 loci are 
produced while in ToA and RSS N loci are realized. 

The final solution to multilateration is time-difference-of-arrival (TDoA). This technique 
uses the time difference of arrival to calculate the position estimate. In this way, the signal’s 
absolute time of flight is not needed, rather only the differences in time of flight is required. 
These measurements result in hyperbolic loci where the eNBs are the foci of the hyperbolae 
described by 

((a: - Xif + iy - yif) - ((a: - xjf + (y - yjf) = V i,j i j. (2.10) 

One main advantage of this technique over the ToA technique is that, while the eNBs still 
require strict time synchronization, the target need not be synchronized [7], [8] 3. On the 
other hand, TDoA will always produce one less equation in (2.10) than in (2.9), thus while 
a minimum of A = 3 eNBs are required for a two dimensional fix with ToA, N = A eNBs 
is required for a two dimensional fix with TDoA 

One notable limitation of multilateration techniques is that they assume the RF signal 
is transiting the minimal transmitter-receiver distance. As we have seen in a multipath 
environment, and especially NLoS channels, this may not be the case. Therefore, the 
performance of these techniques is additionally tied to the assumption of a LoS channel. 
This assumption will not hold in some channels which include indoor and dense urban 
environments. 
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Figure 2.3. The database correlation method of positioning where a radio 
signature I) is compared to database elements ©,• collected a priori at certain 
locations. The location at which the closest database element match was 
taken is used as the position estimate. 

2.2.2 Database Correlation 

A popular alternative to multilateration methods is the database correlation technique (also 
known as “fingerprinting” or “radio frequency pattern matching”). This technique seeks to 
leverage spatial diversity in a multipath environment to improve positioning. To this end, 
radio signatures are collected at various locations and stored in some database D. Signatures 
that have been previously used and demonstrated as effective include the channel impulse 
response [33], [34], the RSS [19], [35], observable cell IDs [18], [36], [37], and network 
parameters such as the TA [38], [39]. This database of radio signatures is then compared 
with measurements made online, I). The location at which the closest database match 
was taken is used as the position estimate. While the database correlation method can be 
robust in multipath environments, it has a large database creation (i.e., database training) 
and maintenance cost [18], [19]. Additionally, it is easy to see that accuracy can be tied to 
database size. Thus, as more accuracy is desired a more granular database must be created 
and maintained. Also, as the database size grows, the computational cost associated with 
the database search increases. 

2.2.3 Timing Advance-Based Positioning 

As TA-based positioning is at the center of this work, we now provide a review of previous 
TA-based research. This literature survey was previously presented in [28]. The TA has long 
been studied as a means to positioning and can be seen as specific cases of multilateration or 

close relative of TDoA is frequency difference-of-arrival (FDoA) where Doppler shift is used in 
conjunction with eNB-target relative motion to describe a hyperbolic system of equations [32]. 
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even as database eorrelation. The TA ean provide a rough eNB-target distanee measurement 
sueh that ToA teehniques ean be applied to this speeifie type of measurement. Additionally, 
as will be shown in a subsequent seetion, the TA has also been used as a radio signature in 
fingerprinting databases [39]. 

2.2.4 The Timing Advance in GSM 

The investigation of the TA for positioning applieations began before the advent of LTE in 
GSM, a legaey protoeol. For instanee, in [40], the authors diseuss the possibility of using 
the GSM TA as a meehanism for positioning. They note poor aeeuraey and suggest foreing 
base station handovers in order to get a seeond TA to improve positioning. They eonelude 
that the aeeuraey is not suffieient for TA to be seriously eonsidered by itself as a method for 
positioning. 

Aeeuraey eoneerns are eehoed in [5] where it is estimated that the aeeuraey of the GSM TA 
is theoretieally 550 meters and praetieally 2,200 meters. Nevertheless, it is noted that a eell 
tower, termed base transeeiver station (BTS) in GSM, loeation in eonjunetion with the TA 
is used in many eountries around the world as a means for subseriber loealization. This is 
also a “fallbaek” GSM loealization teehnique in the United States if a subseriber eannot be 
loeated with other, more aeeurate, means. 

The authors in [25] suggested taking multiple TA measurements from the same tower and 
averaging them in order to improve distanee estimation. An analysis of the method is 
presented, but no real-world experimentation was eondueted. It was noted that their method 
will only result in a distanee from the BTS, and any further improvement in aeeuraey will 
be the fruit of other means. 

In [41], the authors propose the use of GSM TA for traffie state estimation, not for preeise 
user loealization. However, their evaluation oversimplifies the TA behavior in simulation. 
Similar to the other studies deseribed thus far, no empirieal data are used. 

The authors in [26] present the only study we are aware of that uses empirieal TA data 
observed from a GSM network; however, their applieation was in finding GSM BTSs and 
not user loeation. Their study was still largely simulation based, and they only presented 
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one real-world example."^ 


2.2.5 The Timing Advance in LTE 

The largely unsuccessful first forays into using the TA as a parameter for localization are 
probably to blame for the limited amount of research in GSM TA-based positioning. With 
an accuracy as low as 550 meters to 2.2 kilometers [5], it is not surprising that the TA did 
not receive much attention in the literature initially. 

It was not until Jarvis et al. [23] recognized the potential in the TA parameter in LTE 
networks that researchers reopened their study of the TA as a means to positioning. Although 
again a simulation-only approach, the authors showed viable positioning accuracy in three 
dimensions when using a TA from three and four eNBs. The authors did not address 
how using more than one eNB would be possible nor did they assume there was any error 
associated with the eNB in issuing the correct TA to the UE. Similar investigations were 
conducted using WiMAX technology in [42]. 

In [38], Wigren uses the ETE TA as a complementary database feature when performing 
localization via fingerprinting. Using a heuristic approach to modeling the behavior of the 
TA, he noted accuracies on the order of his TA error and suggested his algorithm as an 
appropriate fallback technology for positioning for E-911 in ETE if Assisted GPS was not 
available. 

The authors in [43] used ETE TA as a means for proximity discovery in device-to-device 
communications. They showed through simulation that errors as low as 50 meters were 
possible for certain eNB geometries. However, their modeling of the TA was also heuristic, 
and did not account for any error in the eNB issuing an incorrect TA. 

The work represented by [44] is the only published work we are aware of that uses empirical 
measurements to validate TA-based positioning approaches in ETE. Their approach did not, 
however, focus on characterizing the TA. Rather, similar to Wigren’s approach, they used it 
as another feature in a fingerprinting approach to localization with the aim of minimizing 
the cost of training their fingerprint database. They also made no attempt to characterize 
how the TA value correlated with the true distance of the UE. 

"^This section was revised from [28]. 
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In summary, the corpus representing the TA parameter in the literature is conspicuously 
sparse. Even more absent are studies conducted with empirical data, thus making modeling 
in simulation largely a product of conjecture. ^ 


2.3 LTE Positioning Protocol 

In this section, we describe how the network currently provides LBS to the UE in LTE. 
This is done via the LTE Positioning Protocol (LPP) [39]. LPP allows for several methods 
of position location: Observed Time-Difference-of-Arrival (OTDOA), Assisted Global 
Navigation Satellite System (A-GNSS), and Enhanced Cell ID (E-CID). 

A-GNSS is well studied and provides very reasonable accuracy. With the integration of the 
required hardware in many modern mobile devices, A-GNSS arises as an adept solution to 
the mobile location problem. Despite this, there still exists a legacy population without the 
required hardware that must be serviced. Additionally, A-GNSS usually comes at a high 
power cost which, given the power-constrained mobile platform, is undesirable. Einally, the 
emerging requirement for accurate positioning indoors and in metropolitan canyons requires 
an alternative solution [45]. 

OTDOA is a positioning method where a UE will measure the time difference of arrival of 
the LTE Positioning Reference Signal (PRS) from multiple eNBs. This information is then 
sent to a network-based Enhanced Serving Mobile Location Center (E-SMLC). With three 
or more eNBs, the resulting system of equations can be solved to provide a position estimate. 
However, like A-GNSS, OTDOA suffers in urban and indoor environments where NLoS 
and multipath channels dominate. Release-11 will complement OTDOA with Uplink Time- 
Difference-of-Arrival (UTDOA). The main difference being that UTDOA is determined by 
the eNBs after a signal is sent from the UE [45] whereas the opposite is true in OTDOA. 

The third method enlisted by LPP for UE positioning is enhanced-cell ID (E-CID). This 
method is identical to the database correlation method. When a UE initiates an LPP session, 
and E-CID is the chosen method from which to derive a position, the network will negotiate 
with the UE which radio signatures the UE will measure and send to the E-SMLC to be 
compared against its database. This measurement set is reliant on the composition of the 

^This section was revised from [28]. 
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a priori database and the UE capabilities. Measurements specified in the LPP standard 
include cell-ID, reference signal received power (RSRP), reference-signal received quality 
(RSRQ), and TA [39]. The best radio signature set useful for positioning is currently an 
open topic (e.g., [38]); however, data fusion has been suggested by the body governing the 
development of LTE, the Third Generation Partnership Project (3GPP), [46] via 


p = arg min 
p 


^RSRP - ^)rSRP,/ 


cr 


Orsrp,! 


-I- 


Dta - 2)TA,i 


cr 


D 


tA,i 


( 2 . 11 ) 


where ^rsrp is the UE measured RSRP, Drsrp,/ is the pre-recorded RSRP measurement, 
^ta is the current UE TA, Dta,/ is the pre-recorded TA measurement, and cr^ are 
the respective database variances. Here the variances have been included as weights to 
normalize the effect of datasets with different statistics. 


Einally, it should be noted that EPP sessions are ciphered [47] and, as such, effectively 
protected data. This study assumes these data to be unreadable and thus not available for 
exploitation.^ 


®This section is revised from [24]. 
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CHAPTER 3: 
Solution Approach 


In this work, we propose a novel method to localize a connected cellular device based on 
the LTE signaling plane TA parameter. While this work specifically focuses on applications 
in LTE/LTE-A, the fundamental process is applicable to all cellular technologies which 
manage mobile device timing alignment (e.g., WiMAX). 

As was seen in the literature survey in Chapter 2, it is well-known that, in addition to 
maintaining time alignment, the TA can be used to estimate UE distance from serving 
eNBs [23], [40]. However, there is not a rigorous analysis of the best possible positioning 
accuracy of this method. We will show through analysis how, with the advent of tighter 
time alignment in ETE, the TA has turned a statistical corner making positioning a UE 
with an unprecedented level of consistent accuracy possible. Additionally, we propose a 
method of augmenting TA-based positioning to further improve accuracy. Referring now 
to Eigure 3.1, we outline the proposed scheme in three general steps. Eirst, relevant data 
are collected. Primarily, this includes TA data sent to the target UE from which a distance 
estimate is inferred. Optionally, the TA data are then augmented with the CeSAR algorithm. 
The position estimate is then made with the resulting data set. 

3.1 Data Collection 

Data collection begins with initialization with the relevant parameters that are assumed to be 
known a priori. The parameters in question include the serving eNB location(s), the cellular 
address of the UE to be located, the operating E-UTRA absolute radio frequency carrier 
number (EARECN), and each eNB’s TA bias"^. The mobile UE is uniquely identified with 
an international mobile subscriber identity (IMSI), which the network maps to a cellular 
software address. This software address must be known in order to ascribe the correct 
TA values to the UE since a multiplicity of UEs may receive TAs from a single eNB. The 
geometry of the serving eNB(s) can be ascertained directly by site survey or by statistically 

should be noted that in practical scenarios involving a sectored eNB, the UE sector must also be known 
in order to ensure the third party can receive information transmitted from the tower to the UE. In this work, 
we assume that eNBs are not sectored. 
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Figure 3.1. The proposed scheme for TA-based positioning 


inferring eNB locations from data collected in the field (i.e., war driving) [26]. We assume 
the former in order to not confound the major sources of error. Finally, in practice, we find 
that each eNB has its own specific TA bias which must be known a priori in order to achieve 
an unbiased position estimate. This bias can be measured directly during site surveys. 

Next, TA data issued from the network to the target UE are collected. If more than one 
eNB is serving the UE (a type of physically disjoint carrier aggregation) this collection is 
repeated for each of the A > 1 eNBs. As cellular technology evolves to embrace the idea 
of heterogeneous networks (i.e., ETE-A release 11+), the scenario where A > 1 becomes 
more realistic, drastically improving the quality of a position estimate. 

Once a TA from each serving eNB is collected, the option to refine the estimate further is 
or is not exercised. In order to simplify the analysis, we focus specifically on the case of 
localization and not tracking. In other words, prior information is not used to improve the 
current position estimate (e.g., Markov or Kalman filtering). Rather, one TA collection is 
used to perform a static position estimate of the target UE. The number and geometry of 
serving eNBs will later be shown to heavily influence the positioning accuracy. More eNBs 
will generally produce a more accurate estimate. The effect of the eNB geometry on the 
position estimate is more difficult to dilute into a rule of thumb. However, in general terms, 
the more eNBs that are collinear or approximately collinear generally reduces precision. 
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Figure 3.2. The CeSAR algorithm 


Positioning can be done from several frames of reference: the network, mobile, or third 
party. If the positioning is network-centric then the eNBs will communicate TAs issued 
back to a central server which will perform the position estimate of the target UE. If the 
positioning is mobile-centric, then the UE collects all issued TAs and performs the position 
estimate locally. In both of these cases it is trivial to acquire both the local eNB geometry, 
UE address, and eNB bias since it is reasonably assumed that the network both knows 
these parameters and will be cooperative. Alternatively, if the positioning is done by third 
party, the TAs will be observed over the air® and the sensor can report its measurement in 
any number of ways to the third party. Because scheme initialization is non-trivial from a 
third-party viewpoint and thus the most arduous frame of reference to take, we hereafter 
assume this perspective. 

3.2 Cellular Synchronization Assisted Refinement 

If the option to refine the estimate is exercised, then the CeSAR algorithm [24], presented in 
Eigure 3.2, is used. Notably, the algorithm requires input from an extra-network sensor. This 
sensor can be implemented with a relatively cheap software defined radio (SDR) solution 
and is detailed further in a later chapter. Ultimately, the algorithm adds an extra dimension 
to the existing TA-only system of equations and therefore has less error than the distance 
estimate provided by the TA(s) alone. This augmented system of equations is then later 
used to estimate the target UE position. 

CeSAR begins by orienting the sensor to the network by observing cellular network beacon 
signals. These signals communicate network organizational information which includes 
frame boundary locations in time. This synchronization enables the sensor to perform 
further demodulation and observation of network traffic. After the sensor is oriented, it 
observes a TA issued to the target UE from a serving eNB. Erom this information, the sensor 
determines both when the UE is instructed to transmit its next uplink burst and the target 

®The TA will later be shown to be sent unencrypted, making this type of observation possible. 


21 







UE’s approximate distance from the eNB. Finally, the sensor estimates its distance to the 
target UE d' by calculating the time of flight of a UE uplink burst to the sensor. 

This technique of augmentation has several advantages, foremost of which is that the 
augmentation is performed entirely passively. Because the sensor is not required to transmit 
during any portion of the augmentation it simultaneously makes the process impossible to 
detect from electromagnetic emanation and does not offer any further traffic load to the 
network. Furthermore, all information utilized in the refinement process is sent in plaintext, 
thus it does not require the sensor to bypass encryption. Additionally, strategic positioning 
of the sensor can overcome geometric dilution of precision (GDoP). Because control of 
the network geometry is usually not possible, this point is significant and is demonstrated 
further in the work. 

For the aforementioned reasons, we submit that the proposed method of augmentation 
is preferable from a network operator perspective and simultaneously attractive from a 
vulnerability analyst’s perspective. Because the additional required infrastructure (i.e., 
sensor) is inexpensive and, in contrast to LPP, it does not offer further network load it 
is an attractive solution to network providers seeking to maximize network performance 
while minimizing operational costs. Alternatively, it is also a significant finding from a 
vulnerability analyst’s perspective, because it is a passive technique that can be utilized 
relatively covertly. 

3.3 Position Estimation 

Once the data are collected (regardless of whether they are augmented with CeSAR) the po¬ 
sition estimate can be made as in Figure 3.3. A benefit of the proposed scheme is that there 
is no requirement on the resulting system of equations (e.g., consistency, overdetermined, 
underdetermined, etc.). Specifically, the estimate is calculated through a nonlinear pro¬ 
gramming approach parameterized by the latent distributions of error which seeks the most 
likely position of the UE. The type of position estimate is termed the maximum-likelihood 
estimate (MFE). 

When developing a MFE a critical first step is understanding the underlying error distribu¬ 
tions associated with the measurements. This is perhaps the most crucial step, since the 
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Figure 3.3. The method of position estimation 


final position estimate is only the most likely position location if the error distribution is 
well understood. We will later cast the TA error as a quantized RV and show that the error 
can be modeled as normally distributed. Thus, the MLE of the true distance from a distance 
estimate that is normally corrupted dt for a single measurement is the measurement result 
itself. This straightforward result hinges on the assumption made about the underlying error 
itself. However, the underlying phenomenon associated with a TA is complex, therefore, a 
significant amount of work is dedicated to substantiating the claim for latent normality. 

After di Vi is established, if measurements are CeSAR-augmented, the vector of all di is 
concatenated with the CeSAR measurement d'. Explicitly, the resulting vector of measure¬ 
ments used to perform the position estimate is either d = [Ji,..., if augmentation is 
omitted or rf = {d\, ..., d^, d']^ if augmentation is implemented. Those A or A -l- 1 mea¬ 
surements are then used to construct an error surface defined by the conditional probability 
density function p(rf|d). 

Einally, finding the most likely position requires finding the argument p = which 

maximizes the error surface p(d|d) via the program 

p = argmaxp(d|d). (3.1) 

p 

Eor some distributions, finding the exact MEE requires an exhaustive search over all p [10]. 
Because of the non-trivial computational burden levied by such a brute force approach, 
significant effort has been made in the research to find approximate solutions to this max¬ 
imization program (e.g., [31]). Because this problem is well-traveled in the literature, it is 
not a focus of this work. Instead, we use computationally intensive means to arrive at p 
in order to avoid idiosyncrasies associated with some of the more nuanced solutions in the 
literature. 
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3.4 Performance Metrics 

The Cramer-Rao Lower Bound (CRLB) is a well-accepted lower bound on the performance 
of an unbiased estimator [10], [48]. However, like the MLE, the CRLB is highly dependent 
on understanding the distribution of the underlying error. Additionally, the CRLB can be 
difficult to calculate in closed form for certain non-standard error distributions [21]. Despite 
the fact that the error associated with a TA is a discrete RV® and thus strictly non-injective in 
terms of the observed rounded RV, we will show that the CRLB can be derived through an 
understanding of the RV through the lens of quantization. The values realized by evaluation 
through the CRLB are also somewhat abstract as they are given in mean-squared error 
(MSE) or root mean-squared error (RMSE). In both cases, the errors are squared before the 
mean is taken (in the case of RMSE the root of the mean is then taken) via 


N 

MSE = J]||po-p,|P 

i=l 


RMSE = 


N 




Y, iipo - P,iP 


(3.2) 


for N trials and || • || is the Euclidean norm. Of these two abstract metrics, RMSE provides 
values that are most easily understood. While the RMSE cannot be directly translated to 
mean error, the values are the most intuitively satisfying. 


While we rely primarily on the CREB to show theoretical lower bounds on the performance, 
accuracy is also demonstrated in specific cases with the circular error probable (CEP). CEP 
is established in context of a certain percentage. Eor example, CEP 70% will result in a 
distance within which the error associated with p will fall with probability 0.7. To further 
illustrate the contribution of this metric we present a case study in Eigure 3.4. In this 
figure, a UE is located at po = [0,0]^ and successive position estimates are made which 
are corrupted by independent and identically distributed normal measurement noise in both 
the orthogonal Cartesian directions. In the left pane of the figure, a cumulative density 
function (CDE) representing the error associated with the position estimate is shown. The 
CDE describes the probability that a realization of a RV X will fall below a given value x 

®The TA can be seen as a rounded distance measurement; see Chapter 4 for further treatment of the TA. 
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(a) (b) 

Figure 3.4. The circular error probable at 50%, 70%, and 90% shown with 
a CDF and in simulation 


via [49] 


Fx(.r) = Pr[X<x]= f fx{y)dy 
J —oo 


where Fx(-) is the CDF and /x(-) is the PDF defined by [49] 


fx{x) = ^Fx{x). 
ax 


(3.3) 


(3.4) 


The values of x for Fx{x) = {0.5,0.7,0.9} are all shown on the x-axis in the left pane 
of Figure 3.4 and ean be interpreted as the distanee from the true position that a eertain 
pereentage of the estimates p, will fall. For instanee, in the ease of the study presented in 
Figure 3.4, 70% of all position estimates will fall within 1.57 units of po. 

While CEP gives a more intuitive metrie, it is most useful in Monte-Carlo simulation with 
more eomplex underlying errors and eannot usually be derived analytieally. Additionally, 
we sometimes present the empirieal moments from a simulation along with CEP in order 
to provide a more eomplete statistieal pieture. However, the empirieal moments do not 
neeessarily align with the CEP metrie. In other words, if X\ and X2 are both RVs it could 
be that X\ has a lower CEP 70%, but X2 has a lower mean error. 


25 



















3.5 Summary 

The proposed scheme has several distinct advantages and limitations. In contrast to TA- 
based resolution in legacy networks, the scheme is accurate on the order of tens of meters. 
However, the accuracy is proportional to the number of available eNBs N so, in the 
common legacy case where N = I, accuracy suffers somewhat. Nonetheless, as cellular 
infrastructure evolves, it is expected that the case where N > I will become increasingly 
common [3] lending itself to multiple eNB positioning. With augmentation, accuracy can 
also be improved on the order of tens of meters and without the need for any emissions 
from the augmentation sensor (i.e., passively). This makes CeSAR augmentation a sensible 
choice for heavily congested networks and applications requiring discretion since it does not 
add traffic to the existing network. An obvious limitation is that it requires extra hardware 
to be introduced into the network. 

In the subsequent chapters, we detail the efficacy of the proposed solution approach through 
a thorough treatment of data collection, CeSAR augmentation, and position estimation. 
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CHAPTER 4: 

Morphology of the LTE Timing Advance 


In this section, we present a review of the LTE standard with the specific focus of the 
structure and relationship of the TA to the protocol at large. The operation of the TA in 
current (legacy) network deployments and future (heterogeneous) deployments is discussed. 

This chapter includes adaptations from work which has been previously published by the 
author. Specifically, sections 4.1-4.6 are taken from “Cellular Synchronization Assisted 
Refinement (CeSAR): A Method for Accurate Geolocation in LTE-A Networks” by John 
Roth, Murali Tummala, and James Scrofani published in the proceedings of the 49* Hawaii 
International Conference on System Sciences in January 2016 [24]. Section 4.7 is revised 
from “Maximum Eikelihood Geolocation in ETE Cellular Networks Using the Timing 
Advance Parameter” by John Roth, Murali Tummala, John McEachen, James Scrofani, and 
Robert DeGabriele to be published in the proceedings of the 10* International Conference 
on Signal Processing and Communication Systems in December 2016 [21]. Section 4.8 is 
revised from “Eocation Privacy in ETE: A Case Study on Exploiting the Cellular Signaling 
Plane’s Timing Advance” by John Roth, Murali Tummala, John McEachen, and James 
Scrofani to be published in the proceedings of the 50* Hawaii International Conference on 
System Sciences in January 2017 [28]. 


4.1 Time Alignment Management in LTE 

The TA is a signaling plane parameter with the purpose of reconciling UE mobility with 
quality of service. ETE uses an orthogonal frequency-division multiple access (OEDMA) 
scheme which requires that transmissions are highly disciplined in time and frequency 
in order to avoid intersymbol interference with other UEs sharing service with the same 
eNB [22]. As UEs move throughout a serving cell their distance to the serving eNB 
may change thus changing the propagation delay between the UE and the eNB. The eNB 
constantly estimates the UE-eNB distance and issues TA updates in order to ensure the UE 
is continuously synchronized in time relative to the propagation delay. 

Ever since GSM, the TA quantity has been recognized as useful for positioning cellular 
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Figure 4.1. The random access response (RAR) message found in the media 
access control (MAC) header. Bit boundaries are denoted by the bar above 
the figure. Adapted from [50]. 


devices [23], [40]. In this section we aim to develop context for the TA inside LTE networks. 

The TA takes two forms during normal cellular operation. The first is the TA that is ne¬ 
gotiated during the initial network random access. After the UE has obtained downlink 
synchronization via the primary and secondary search signals (PSS/SSS) and the corre¬ 
sponding system information from the master and system information blocks (MIB/SIB) 
the UE requests network access from the eNB via a random access preamble. If the request 
is successful the eNB continues network access negotiation with a random access response 
(RAR) message. As seen in Eigure 4.1, inside this message is the cell radio network tem¬ 
porary identifier (C-RNTI)'o, an uplink resource grant, and an 11-bit TA quantity where 
r ,4 e {0,1, • • • , 1282} [50]. This quantity directs the UE to begin transmission of its uplink 
frame 16 x Ta x Ts seconds before the beginning of the corresponding downlink frame, 
where Ts is the sampling frequency [51], [52]. 

The second form the TA takes is during normal maintenance of the eNB-UE connection. 
Unlike the TA during initial network access, this TA only adjusts the UE’s uplink timing 
based on its current timing and is thus relative. As the mobile device moves throughout the 
vicinity of the eNB its distance to the eNB will likely change. In order to maintain the uplink 

lOThis is a temporary user address which will receive further discussion in Section 4.3. 
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Figure 4.2. The legacy timing advance command (top) and the release 10+ 
timing advance command (bottom). Bit boundaries are denoted by the bar 
above the figure. Source: [50]. 


timing alignment, the eNB will periodically issue TA commands to the UE. These six-bit 
TA commands come in the form of a medium access control (MAC) control element (CE) as 
seen in Eigure 4.2 [50]. Because only six bits are used Tt e {0,1, • • • , 63}. Each command 
moves the UE’s current uplink timing by 16 x {Ta - 31) x Ty seconds. The possibility of a 
negative value allows for the uplink timing to be advanced or retarded depending on which 
direction the UE is moving relative to the eNB [51], [52]. 

Additionally, as of Release 9, type 1 and type 2 TAs are introduced [53]. A type 2 TA is 
determined by the eNB via the UE generated random access preamble and calculated as 

TA2 = teNB,Rx - teNBJx (4.1) 

where teAiB,Rx is the time instance where the eNB receives the UE random access preamble 
as determined by the first path and tgNBjx is the standard eNB frame timing. A type 1 TA 
is calculated during the maintenance phase via 

TA\ = (teNB,Rx - teNBJx) + (tUE,Rx “ tuEJx) (4.2) 

where the first difference is the time separation between a received uplink frame and its 
transmit timing and the second difference is the time separation of those same frames only 
this time at the UE. The second difference is always positive, while the first may be positive 
or negative. The type 1 TA theoretically allows the eNB to determine the round trip time 
with arbitrarily small error and use this to advance or retard the served UE’s uplink timing. 
It should be noted that the type 1 TA is never sent over the radio link and is thus not available 
for exploitation over the air by a third party; however, we later discuss how a passive listener 
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Figure 4.3. The uncertainty associated with TA distance measurements 

can use this principle to refine an observed TA command via CeSAR. 

Both the initial and maintenance TA are sent in plaintext. The first, which is found in 
the RAR, is sent before a security key is negotiated and thus must necessarily not be 
encrypted. The maintenance TA is sent as a MAC CE. Since the CEs are sent as part of 
the MAC header, which is below the Packet Data Convergence Protocol (PDCP) sublayer, 
it is also not encrypted. This enables a third party within range to observe this traffic in 
plaintext. However, if the third party does not observe the initial TA it will be more difficult 
to effectively use the maintenance TA for ranging as each one is relative to the previous 
absolute TA maintained by the UE and the network. “ 

4.2 Uncertainty in the Timing Advance 

Eargely because of the discrete nature of the TA, a single measurement from an eNB will 
reduce the possible location of the UE to an annulus of fixed width, r. This annulus, with 
the eNB as its center, is shown in Eigure 4.3. This discrete error is also exacerbated by 
error associated with the eNB antenna height, multipath propagation, and clock bias [42]. 
By analyzing the quantization error we can determine the width of the area of uncertainty. 

"This section was revised from [24]. 


30 



As stated previously, a TA will change a UE’s uplink timing in increments of 16 x The 
parameter Ts is the LTE basic unit of time and is given by 


r, = 


1 


15 000x2048 


seconds 


(4.3) 


where 15 000 corresponds to the subcarrier spacing of 15 kHz and 2048 corresponds to 
the maximum East Eourier Transform (EET) size [23], [51]. Assuming speed of light 
propagation, the range of uncertainty r can then be calculated by 


1 . 1 c 

T — lo X — X _ 

2 15 000x2048 


= 78.125 meters 


(4.4) 


where c is the speed of light and the extra factor of 1 /2 is included because the eNB must 
consider the downlink propagation time for the command to reach the UE when issuing a 
TA. 


This line of analysis can also be used to determine the maximum eNB-UE range supportable 
by ETE. Since the maximum initial TA value is 1282, the formula in (4.4) can be used to 
determine a maximum supportable distance of approximately 100 kmd^ 


4.3 Software Address Space in LTE 

Because a multiplicity of users will be simultaneously connected to a given eNB and 
because each user may be at different distances from the eNB, each UE must be able to 
determine which TAs are issued to which UEs. To this end, each TA is associated with a 
destination address in the form of a 16-bit C-RNTI. The C-RNTI is effectively a temporary 
software address issued by the network to each UE analogous to an Internet Protocol 
address. The C-RNTI is initially leased to a UE during network access negotiation via 
the RAR message. Maintenance TAs are associated with a specific C-RNTI via downlink 
scheduling assignments made on the Physical Downlink Control Channel (PDCCH) found 
in the E1/E2 control region of each subframe [22]. Because the E1/E2 control region of each 
subframe needs to be decoded by every UE, it is sent in the clear. Therefore, a third party 
could use the information in the PDCCH to find the resource on which a transport block for 
a particular UE is located. The corresponding transport block could then be searched for 

'^This section was revised from [24]. 
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a TA CE. Of particular importance with respect to C-RNTI attribution is that UE network 
access must be observed in order to initially associate a C-RNTI with a particular UE IMSI 
as the IMSI is not frequently transmitted unencrypted. 


4.4 Timing Adjustment Frequency 

The frequency of the maintenance TA is of particular importance as we would like to know 
how often this information is transmitted and thus how available it is. This frequency is 
lower bounded by an ETE parameter timeAlignmentTimer [54]. This timer is reset each 
time a TA is received from the eNB. If the timer expires, the radio connection is considered 
out of synchronization and the UE must renegotiate with the network to restore its uplink 
time synchronization. Because of this, the TA frequency must ensure a TA is issued within 
the period of time specified by the timeAlignmentTimer. This parameter has configurable 
finite durations {500,750,1280,1920,2560,5120,10240} which is common for all serving 
cells per UE. The duration corresponds to the maximum number of subframes sent in 
between TAs. Because subframes are continuous in ETE and because each subframe is 
stipulated as 1 ms long by the standard, the available durations can also be interpreted as 
number of milliseconds [51]. Therefore, when configured for finite*"^ duration, we can 
expect a TA to be sent no less frequently than anywhere from every one half second to 
every ten seconds. In practice, the TA frequency will be more frequent, usually resulting 
in TAs issued several times per second [22]. During field measurements, we observed TA 
issuance frequencies at the sub-second level. This frequency of the TA will be sufficient for 
the purpose of nearly-continuous positioning, 


4.5 Heterogeneous Networks 

Heterogeneous network deployments were introduced in ETE Release 10 which, among 
other improvements, allowed for increasing the data capacity of a network through carrier 
aggregation. Carrier aggregation is a method by which several carriers may be configured 
to support a single UE. When carrier aggregation is used, a primary cell (PCell) and 
one or more secondaries (SCell) may be configured to support a single UE. The Radio 

*^This section was revised from [24]. 

i"^The standard also allows for a configurable infinite duration of timeAlignmentTimer. 
i^This section was revised from [24]. 
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Resource Control (RRC) sublayer is responsible for selecting an PCell and then configuring 
appropriate SCells [54]. Release 11 further provides support for PCells and SCells that are 
not co-located. In order to maintain uplink synchronization among all serving cells it was 
necessary to establish the concept of the timing advance group (TAG). Serving cells that 
are co-located are assigned to the same TAG, thus removing the need for separate TAs for 
each individual cell. As seen in Figure 4.2, TAGs are associated with TA updates in the 
two-bit TAG ID field. The size of the TAG ID field indicates the specification is designed 
to eventually support up to three additional SCells or four total separate channels, 

4.6 Timing Advance Positioning during Handovers and 
with Coordinated Multipoint 

In order to facilitate inter-cell mobility, UEs must monitor and evaluate the received signal 
quality of neighboring cells. The type and frequency of measurements are configurable and 
are dictated by the network. Measurements normally involve acquisition of the cell PSS 
and SSS. After this is complete, the UE will have determined the cell-ID and the downlink 
synchronization giving it access to the cell-specific reference signal. This signal is then 
used to determine the reference signal received power (RSRP) and/or the reference signal 
received quality (RSRQ). If the RSRP or RSRQ is larger than a configurable quantity then 
that cell will be selected for handover. Handovers may occur for various other reasons such 
as network load management [54]. 

In the case of a network initiated handover, the UE is notified by the serving eNB via a 
message that is generated by the target eNBi"^. This message may include mobility infor¬ 
mation such as the target cell-ID, physical layer parameters, and the new C-RNTI to assist 
the UE in establishing its new connection. Notably, the handover is asynchronous, meaning 
the UE will begin the random access procedure with the target eNB which will involve 
the negotiation of a new initial TA concurrently while still receiving a TA from the source 
eNB [54]. 

The presence of two TAs from spatially disparate beacons presents a unique opportunity 
for gleaning location information. By processing this information at the E-SMEC with 

i®This section was revised from [24]. 

'■^More specifically, this message is passed as a RRCConnectionReconfiguration message [54]. 
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TDoA methods, a hyperbolic annular locus can be described around the source and target 
eNBs. The advantage of this type of scenario lies in no requirement for the UE to be tightly 
synchronized with the network effectively removing the error from clock bias. Alternatively, 
the ToA method may be used which will result in two annuli from the two TAs. The two 
annuli reduce the target locus to the their area of intersection. Finally, if ciphering is not 
enabled, the target eNB will issue a new C-RNTI to the UE in the clear allowing a passive 
listener to map the previous C-RNTI to the new. 

Coordinated Multipoint (CoMP), potentially part of Release 11, is a related technique that 
aims to improve quality of service at cell boundaries by coordinating the reception of a UE 
signal at multiple eNBs [55]. Uplink timing alignment becomes difficult in such a scenario, 
as the UE cannot transmit the same signal at different times to ensure each cell receives a 
time-aligned signal. Solutions to this problem generally involve synchronizing the uplink 
timing to the nearest serving cell [56] and then selecting other appropriate cells such that 
the other received signal arrive within the duration of the cyclic prefix [57]. Thus, while it is 
still an open area of research, the general consensus is for the UE to be uplink synchronized 
to the closest serving cell [55], [57]. Since CoMP provides no additional location-based 
information (i.e., the network still only issues one TA) it is not considered further in this 
study. IS 

4.7 The Empirical Timing Advance 

To shed light on the behavior of the TA in the wild, we examine real-world data observed 
in Maryland and California and shown in Figure 4.4 and Figure 4.5. First we examine the 
data presented in Figure 4.4, which represents collections where the UE was traveling at 
a constant rate in a suburban environment such that the distribution of eNB-UE distances 
during measurement is approximately uniform. From this subset of data, we make two 
observations. 

First, in most cases the variance offered by the TA was relatively small compared to the 
variances contributed by the measurement error. For example, the average variance among 
all locations was cr^ « 3500 m^ while the theoretical variance offered by the FTE TA is 
« 500 m^. 

i®This section was revised from [24]. 
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Figure 4.4. Timing advance errors recorded in real-world LTE network de¬ 
ployments in Maryland (a) and California (b). Adapted from [21]. 


Second, it was previously hypothesized [28] that the underlying error distribution could 
be modeled as normal. By initial inspection of these data with the normal distribution in 
Figure 4.4, we find no reason to reject the hypothesis. 

Next, we present the results of an experiment conducted at four different locations and 
designed to elicit the difference in NLoS versus LoS channels. At each of four locations 
{A,B,C,D}, the distance to a serving cNB was estimated using received TAs. The first- and 
second-order statistics of the resulting error are presented in Figure 4.5. Each location was 
characterized as either a dense urban (locations A-C) or suburban environment (location 
D). Dense urban locations were located in the city center of Baltimore, Maryland, which is 
largely comprised of tightly-packed skyscrapers. The suburban location was in the outlying 
area surrounding Baltimore. At each location the distance was fixed (i.e., the UE was 
stationary) and the TA was recorded for a period of one minute when the serving eNB 
could be directly seen (EoS). The procedure was then repeated at a nearby location where 
there was a major obstruction in the line-of-sight to the same serving eNB. Histograms 
representing the raw error measurements are presented in Appendix A. These histograms 
can be interpreted as probability mass functions since, with distance constant, the error will 
be in increments of 78.125 m (c.f. (4.4)). 

Referring to Eigure 4.5, we observe little difference in standard deviation between EoS 
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Figure 4.5. Data are presented which has been recorded at a fixed distance 
from eNBs in dense urban and rural environments. Data were recorded 
when there was a LoS to the eNB and when there was not in the same 
general location at four different locations {A,B,C,D}. Locations A-C are 
dense urban environments and location D is a suburban environment. Mean 
error and standard deviation of error are presented. 


or NLoS conditions or dense urban or suburban environments. The measurement error 
varianee ean then be eonsidered independent of ehannel environment whieh is consistent 
with the ehannel model presented in Chapter 2 and with previously reported results [10]. 

Second, the mean error is highly dependent on channel conditions (i.e., LoS versus NLoS or 
suburban versus dense urban). As expeeted, dense urban and NLoS environments resulted 
in a higher mean error. In all oases the mean error of NLoS measurements was significantly 
different from the mean error of the LoS measurements at the 5% signifioance leveL®. Our 
experiments yielded a //nloS - AloS 6 [20 m, 80 m]. The differenoe in urban versus suburban 
ohannels was also notioeable. Our experiments showed Aurban - Asuburban 6 [60 m, 220 m]. 

Finally, we note that a eNB-speoifio TA bias is present in eaoh one of the data sets oolleoted. 
In other words, the mean of all measurements (for constant channel type) will differ. 
Referring to the measurements presented in Figure 4.5 we see that for LoS environments 
the mean value has range 6 [-20 m, 114 m]. Similarly, for NLoS environments the mean 

^^Statistical difference was established using Student’s t-test which requires the underlying data to be 
normally distributed. Despite the data being discrete, this assumption is further validated through analysis in 
Chapter 6. 
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value has range 6 [31 m, 197 m]. While it was for these observations that ji nloS - LoS > 
the underlying bias is more difiieult to prediet. This is a value that must be measured and 
understood a priori in order to use the TA to provide an unbiased position estimate. As 
mentioned in Chapter 3, this quantity is assumed as a given input to the overall seheme.^° 

4.8 The Timing Advance as a Location Privacy Preserving 
Mechanism 

A loeation privaey preserving meehanism (LPPM) is a paradigm for proteeting user loeation 
privaey and has two eomponents: obfuseation and anonymization [58]. More speeifieally, 
a LPPM is a formal meehanism for modeling the amount of privaey a seheme affords. We 
thus find it a useful eonstruet in evaluation of the TA sinee a third party may not have 
network assistanee in obtaining the desired parameters for positioning. 

The aet of obfuseating a loeation will add noise to the aetual loeation d = f\ (p) thus a 
third party using obfuseated only data ( m /, d) will have aeeess to user identities, but the 
assoeiated loeation data will be imperfeet. The aet of anonymizing data will replaee the 
user identity with a pseudonym u = fiiPi) thus a third party using anonymized only data 
will have aeeess to exaet loeations but not identities. A obfuseated and anonymized data 
set {u, d) will provide a third party aeeess to neither pieee of information direetly. 

Formally, the TA can be modeled as a LPPM. The noise added to the data can be modeled 
with the function 

J,-= rnoddl p/-po ||,t) (4.5) 

assuming an ideal TA model. In other words, the TA obfuscates the actual UE position 
through a process of spatial quantization. Next, the network anonymizes the UE through 
assignment of a C-RNTI [22]. As previously discussed, the C-RNTI can be thought of as a 
software address and is assigned dynamically. Therefore, the C-RNTI mapping fc-RNTi(') 
can be thought of as EPPM anonymization. 

This EPPM is weak for several reasons. As will later be demonstrated, the quality of the 
location obfuscation declines rapidly when multiple eNBs are configured. The quality of 
anonymity provided by fc-RNTi(-) is also in question [59], [60]. We therefore assume 

20This section was revised from [21]. 
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C-RNTI attribution in this work and focus specifically on de-obfuscation of the UE loeation 
Po-^' 


2*This section was revised from [28]. 
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CHAPTER 5: 

Cellular Synchronization Assisted Refinement 


This chapter specifies the details of the Cellular Synchronization Assisted Refinement 
(CeSAR) algorithm for improving TA-based positioning. Besides details of the algorithm, 
implementation of the required sensor is also included. CeSAR was first introduced in [24] 
and is also studied in [21], [28], [29], [61]. 

This chapter includes adaptations from work submitted for publication or previously pub¬ 
lished by the author. Specifically, section 5.1 is revised from “On Location Privacy in 
LTE” by John Roth, Murali Tummala, John McEachen, and James Scrofani which has been 
submitted for publication [29]. Section 5.3 is revised from “Location Privacy in LTE: A 
Case Study on Exploiting the Cellular Signaling Plane’s Timing Advance” by John Roth, 
Murali Tummala, John McEachen, and James Scrofani to be published in the proceedings 
of the 50* Hawaii International Conference on System Sciences in January 2017 [28]. 

5.1 The Cellular Synchronization Assisted Refinement Al¬ 
gorithm 

CeSAR, depicted in Eigure 5.1, involves a third party using its knowledge of a UE’s transmit 
timing to refine an area within the initial TA annulus where that UE may be located. 



Figure 5.1. A single eNB implementation of the CeSAR algorithm 
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Algorithm 1 The Cellular Synehronization Assisted Refinement Algorithm. Souree: [29]. 

1: procedure CESAR(peA?B, p^e^ior, target C-RNTI) 

2: function PSS/SSS Sync() 

3: sensors—eNB downlink frame timing 

4: end function 

5: repeat 

6: X observed C-RNTI 

7: until 

8; Y == target C-RNTI 

9: di <— TAx78.I25 m 

10; t <— est_Tx_Time(TA) 

11: C <— observed uplink burst time 

12: At t' -t 

13: d' = At -c 

^ ^ ^ ^ rri 

14: d [Ji, . . .,dN,d'Y 

15: p = argminp(d|d) 

16; end procedure 


Generally, the proeedure takes advantage of the faet that the TA eontains two pieees of 
information: the distanee of the UE to the serving eNB and the UE’s uplink transmit time. 
By exploiting both of these pieees of information, instead of just the eNB-UE distanee, 
a refined position estimate ean be made. If a loeal sensor knows the UE’s transmit time 
t and ean reeord the time t' when the sensor observes the transmission then the distanee 
from the sensor to the UE ean be determined by way of UE-sensor propagation delay. In 
this way, CeSAR applies the prineiple behind the type 1 TA at the sensor loeation. As 
previously stated, this effeetively adds another dimension to the system of equations. A 
neeessary requirement to reap this benefit is a sensor in the serving eell/seetor of the target 
UE. In addition to the overall system initialization requirements (ef. Chapter 3), the CeSAR 
proeedure further requires that the position of the sensor be known a priori. 

Besides improving position aeouraey, CeSAR has several strengths [29]: 

1. It ean be performed eompletely passively. Therefore, during third party use the sensor 
eannot be deteeted from eleetromagnetie emanations [24]. 

2. Strategic positioning of the sensor can overcome GDoP [10] caused by eNBs arranged 
disadvantageously. This is a strength that will be shown in Chapter 8 to improve 
accuracy significantly [29]. 
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3. The sensor need not be complex. The advent of SDR has put this method within 
reach of reasonably skilled actors. Furthermore, SDR technology has significantly 
lowered the monetary cost of entry to this type of exploitation. 

4. All of the timing information is sent below the PDCP sublayer, and thus, in the 
clear [28]. Therefore, there is no need to bypass encryption. 

Referring now to Algorithm 1 and Figure 5.1, we give a detailed account of the procedure. 
First, the sensor listens for the PSS/SSS from a serving eNB (steps 2-4). This is necessary 
for synchronizing itself to the base station thus giving it the ability to decode cell data. Next, 
the sensor decodes packets that it receives until it finds the target C-RNTI (steps 5-8). Once 
a downlink frame being sent to the target UE has been identified (step 8), the associated TA 
is observed in the MAC CE and converted to the UE-eNB distance di (step 9). If there are 
N serving eNBs, this process can be repeated N - \ times. Simultaneously, the TA is used 
to estimate the target UE’s uplink transmission time t (step 10). With this information, the 
sensor can measure the propagation delay At from the UE to the sensor and convert that to 
a UE-sensor distance measurement d' (steps 11-13). This additional distance measurement 
is added to the distance measurements [ Ji,..., d^] obtained from the N serving eNBs to 
form the system of equations represented by d. 

Note that steps 10-13 are designed to extract uplink burst timing information from just one 
of the N serving eNBs. While it is possible to extend CeSAR to repeat these steps across all 
N eNBs, this will not result in any further information. To see this consider that the extra 
information gleaned describes a circular locus around the sensor, therefore, additional uplink 
burst timing information will only re-describe the same circular locus. Thus, attempting to 
add dimensionality to d in this manner will result in dependent equations whose loci will 
have an infinitude of intersections. 

In addition to being nonlinear, the resulting system of equations is inconsistent with high 
probability due to measurement error induced by the channel (cf. Chapter 2) and spatial 
quantization associated with the TA, thus, solving this system is non-trivial and the impetus 
for much of the analysis in Chapter 6. Presently, it is sufficient to treat the nature of the 
measurement error as following some unspecified probability density p(d\d). 

In order to estimate the target UE position, p, we frame the problem in the maximum- 
likelihood sense. In other words, for a set of observed distance measurements, d, the most 
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Figure 5.2. The hardware sensor configuration used in this work 


likely position estimate is one that satisfies 

p = argminp(rf|d). (5.1) 

p 

If all measurements follow the same error distribution then we can parameterize the program 
represented in (5.1) with the distribution p(-) • The claim that p is the most likely location of 
the target UE is heavily dependent on the knowledge of the associated error distributions, 
thus, characterizing this distribution will be the subject of analysis in Chapter 6.^^ 

5.2 Sensor Implementation 

As previously discussed, the sensor need not be sophisticated. In fact, modern SDR solutions 
provide a vehicle by which the sensor can be implemented. At the time of this writing, the 
necessary RF components for such a SDR solution could be assembled off the shelf for less 
than $3000. The particular solution implemented by this work is shown in Figure 5.2. 

The RF front end is a universal software radio peripheral (USRP) N210 manufactured by 
Ettus Research. The processing speed is high enough in this peripheral such that the maxi¬ 
mum sample rate is limited by the Gigabit Ethernet connection to the host machine which 
is nominally 20-25 MSps. The RF daughterboard utilized is the WBX board also man¬ 
ufactured by Ettus Research. This daughterboard is capable of modulating/demodulating 
baseband signals frequencies in the range of 50-2200 MHz which sufficiently covers the 
cellular spectrum. 

^^This section was revised from [29]. 
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Figure 5.3. An overview of the salient logical signaling channel organization 
in GSM 


5.3 Observability of Uplink Frames 

Here we highlight step 11 of the CeSAR algorithm which requires that a sensor is able 
to observe an uplink burst from a specific UE. Because LTE uses an OEDMA access 
scheme [22], the sensor would need to know what resource element(s) were assigned by the 
network to that UE. Eearning this information without direct access to an eNB is non-trivial, 
however, possible. This possibility, which is the focus of this section, marks a significant 
shift in the confidentiality architecture of ETE. In this section, we contrast the signaling 
plane confidentiality of ETE with that of GSM to first highlight this shift. Additionally, 
the contrast demonstrates that, while it is not possible to decode the UE uplink burst, it is 
possible to know in what time-frequency resource it will be sent. 

We begin by first presenting the salient aspects of the GSM signaling plane. GSM defines 
a series of logical channels used in both the downlink and uplink. They are broken into 
two categories of traffic and signaling planes, the latter of which is shown in Eigure 5.3. 
In the signaling plane are three groups of channels: the broadcast (BCH), common control 
(CCCH), and dedicated control channel groupings (DCCH). 

Of specific interest are the CCCH and DCCH groupings. Among other things, the CCCH 
is responsible for the random access procedure via the random access channel (RACH) and 
the access grant channel (AGCH) [62], [63]. Of note, no channels in the CCCH group are 
encrypted as they contain information relevant to multiple users [64]. 

Consider a UE with information to transmit to the network and without a current valid 
scheduling grant. The UE first needs to request assignment of a Standalone Dedicated 
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Figure 5.4. The radio resource allocation procedure for a GSM connected 
UE with network traffic 


Control Channel (SDCCH) via the RACK [63]. The base station eontroller (BSC) will 
respond with an IMMEDIATE ASSIGNMENT message via the AGCH assigning a speeifie 
SDCCH to the requesting UE. Onee the SDCCH is assigned eneryption will begin. Finally, 
an enerypted ASSIGNMENT COMMAND gives the parameters of the traihe ehannel (TCH) to 
the UE [62]. Beeause this last step is performed after eneryption begins, the eonfidentiality 
of the uplink ehannel signaling is effeetively preserved in GSM. This proeess^^ is presented 
graphically in Figure 5.4. 

Of particular interest is that encryption in the GSM air interface is performed at a very low 
level immediately preceding modulation (in logical channels that support encryption) [62]. 
This strengthens the confidentiality of signaling trafhc. 

Similar to GSM, ETE also specifies a series of logical channels albeit organized differently 
than in GSM. ETE has a more fiat channel architecture so a hierarchy is not presented. Rather 
only specific channels are selected for discussion. They are broken into the downlink and 
uplink subgroups of which the former is of particular interest. In this group there exists a 
DCCH similar to that of GSM, however, different from GSM the ETE DCCH is a bearer 
of mainly the Radio Resource Control (RRC) layer information. Also different from GSM, 
ETE specifies certain physical channels onto which no logical channel will map. Of interest 
to this work is the Physical Downlink Control Channel (PDCCH) and the Physical Uplink 

^^Only an overview of the major steps in the process are presented for clarity. Furthermore, the base 
transceiver station (BTS) and base station controller (BSC) are grouped into one entity, the base station 
subsystem (BSS). 
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Figure 5.5. The radio resource allocation procedure for an LTE connected 
UE with network traffic is presented. Only an overview of the major steps 
in the process is presented for clarity. 

Control Channel (PUCCH). 

In LTE, scheduling is the responsibility of the MAC layer and is done dynamically on a 
frame-by-frame (i.e., 1 ms) basis [22]^4. Therefore, unlike GSM, LTE does not assign 
dedicated control channels (i.e., the GSM SDCCH). Instead, the information pertaining to 
uplink scheduling is found in the PDCCH broadcast in the L1/L2 control region of each 
downlink frame [22]. 

Consider a UE with information to transmit to the network and without a current valid 
scheduling grant. The UE will first utilize the uplink L1/E2 control region to indicate to 
the eNB that it requires uplink resources. As previously discussed, the eNB’s scheduling 
decisions are issued via the PDCCH in the E1/L2 control region. Each scheduling grant 
is appended with a cyclic redundancy check (CRC) which is calculated with the intended 
recipient’s radio network temporary identifier (RNTI). Therefore all grants sent via the 
PDCCH are checked by each UE with their allocated RNTIs. Grants that do not check are 
discarded as either not intended for the UE or invalid [22]. The PDCCH is continuously 
monitored by each connected UE to update its uplink grant allocation as it is changed 
dynamically. This process is presented graphically in Eigure 5.5. 

Next, a large functional change in LTE, relative to GSM, is highlighted: the responsibility 
for encryption is held exclusively in the PDCP sublayer. Therefore, nothing in the lower 
layers (i.e., the Radio Link Control (RLC) and MAC layers) is ciphered [47]. A consequence 
of this architectural shift is that a significant amount of signaling is sent in the clear. The 

should be noted that the network can also optionally choose to implement semi-persistent, vice dynamic, 
scheduling. 
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requirement for transparent signaling is also built into the uplink scheduling scheme (cf. 
Figure 5.5) which would not work if ciphering was implemented at the same low level it is 
in GSM. Therefore, with this signaling plane confidentiality, the target RNTI is only needed 
to decode that UE’s unencrypted uplink resource grants. 


^^This section was revised from [28]. 
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CHAPTER 6: 

Theory of Random Variable Quantization 


In this chapter, following [65], we provide an account of the theory of quantization of 
a RV in general terms. To provide an impetus for the subsequent discussion, we first 
introduce fundamental and relevant concepts such as the CRLB and GDoR We then derive 
the conditions necessary to satisfy a lower bound on positioning. This chapter provides 
the theoretical foundation and justification for a method of maximum-likelihood estimation 
developed in the subsequent chapter and follows directly from work previously published 
by the authors [21], [29]. Specifically, Sections 6.1 and 6.2 are revised from “Maximum 
Likelihood Geolocation in LTE Cellular Networks Using the Timing Advance Parameter” 
by John Roth, Murali Tummala, John McEachen, James Scrofani, and Robert DeGabriele to 
be published in the proceedings of the 10* International Conference on Signal Processing 
and Communication Systems in December 2016 [21]. Sections 6.4- 6.9 are revised from 
“On Eocation Privacy in ETE” by John Roth, Murali Tummala, John McEachen, and James 
Scrofani which is submitted for publication [29]. 


6.1 The Cramer-Rao Lower Bound in Time of Arrival Po¬ 
sitioning 

The CREB is a well-known lower bound on the mean square error (MSE) or root mean 
square error (RMSE) of an unbiased estimator [7], [10], [48]. In this work, we use the 
RMSE in order to provide results that are easier to understand in terms of positioning 
accuracy. Given the unbiased estimate p, the CREB is formally expressed as 

^E{(po-p)2} > CREB. (6.1) 


In matrix form, CREB = Tr(''^2^) where Tr(-) is the trace function and I is the Eisher 
information matrix (EIM) developed for the ToA application as [10] 


Iff./} = 


-E 


g2logp(rf|d) | 

^PfO^POT J 


( 6 . 2 ) 
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Figure 6.1. The layout of an actual cellular network deployment located in 
Annapolis, Maryland. Source: [21]. 


where the subseript(s) in braekets represent the matrix or veetor index. The proof of 
this relationship for a general unbiased estimator is provided in Appendix B. When the 
probability distribution function (PDF) is normal and cr, = cr, V/, it can be shown that [31] 



yAf (x-Xj)^ yW (x-Xi){y-yi) 

yN {x-Xi){y-yi) yAi jy-yi) 

^/=1 £ ^i=l 

I I 


(6.3) 


A proof of the relationship presented in (6.3) is given in Appendix C. In general, the 
expectation in (6.2), taken with respect to p, may not have a closed-form solution. In this 
case, it is necessary to resort to numerical integration techniques. 


When NLoS conditions are present, it has been shown that the CRLB can be attained when 
the eNB(s) with NLoS channel conditions are discarded and only those remaining with LoS 
conditions are used for positioning [66]. This requires the ability to identify and discard 
those measurements [31]. 


In order to show typical values of the CRLB, an actual network deployment in Annapolis, 
Maryland, shown in Figure 6.1, was evaluated^®. The fourth and fifth nodes are added 

2®Latitude and longitude have been converted to the Cartesian coordinate system where the axes units are 
given in meters. 
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(a) (b) 


Figure 6.2. The curves in the left pane show the CRLB as parameterized 
by the noise level cr and the number of eNBs N. The GDoP is also shown 
in the right pane to demonstrate the favorability of the eNB geometry as 
nodes 4 and 5 are added. Source: [21]. 

successively to show how positioning changes as more nodes become available. The 
theoretical lower bound on the accuracy of an unbiased estimator for this geometry is then 
shown in Figure 6.2 along with the corresponding trends in GDoP. In the left pane, the 
abscissa represents the error in distance estimation given cr, = cr, V/. The values are chosen 
as they are common error variances in To A positioning [31]. The ordinate represents the 
minimum localization RMSE possible in meters. In the left pane, the abscissa represents 
the number of eNBs N and the ordinate shows the GDoP value for the given A. 

The CRLB can then be said to be a function of several parameters: 

1. The shape of the probability density. The more peaked the shape (i.e., kurtosis), the 
lower the CRLB (cf. (6.2)). 

2. The variance of the error associated with the parameter to be estimated. The lower 
the variance, the lower the CRLB (cf. Ligure 6.2 and (6.3)). 

3. The number of available eNBs. In general, the more eNBs available, the lower the 
CRLB (cf. Ligure 6.2 and (6.3)). 

4. The geometry of the eNBs. It can be seen in (6.3) that, for the case of a normal 
density, the geometry is completely defined by the angle from the UE to the eNB(s) 
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and the distance is mathematically irrelevant 


The sole dependence of the CRLB on the associated angles in the geometry and not the 
distance can be seen from the following identities 


cosm = ^ 

siniOi) = 


(6.4) 


where 9 is the angle subtending the z* eNB and the UE. Substituting these identities into 
(6.3) we have 


I = 



Zjli cos^iOi) xjli cosiedsiniOi) 
cos{ei)sin{ei) sirp-(di) 


From (6.5) it is easy to see how the CRLB is not dependent on distance.^^ 


(6.5) 


6.2 Geometric Dilution of Precision in Time of Arrival 
Positioning 

It was stated in the previous section and expressed in (6.3) that the CRLB is a function 
of the eNB geometry. The effect of the geometry can be isolated from the effect of the 
measurement noise by dividing out the measurement error to yield the GDoP given as [10] 


GDoP = 


VTr(I-i) 

cr 


( 6 . 6 ) 


GDoP can generally be interpreted as the factor by which the standard deviation of the 
position estimate is related to the standard deviation of the distance measurement 


^E{(po-p) 2} = GDoP X ^e{(J-J)2}. 


(6.7) 


As a rule of thumb, it has been previously reported that GDoP values of less than three are 
favorable where values greater than six are not [10]. Additionally, values of less than one are 

has been previously reported that the standard deviation of the distance measurement is distance 
dependent [67]. Therefore, although di does not affect the CRLB directly the variance may actually be a 
function of the distance (i.e., cri(di)). 

2®This section is revised from [21]. 
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Figure 6.3. The experimental setup of the GDoP investigation 


possible and imply that the position estimate will have a smaller standard deviation than the 
individual distance estimates, thus a geometric concentration of precision is experienced. 

In order to investigate the geometric effect of eNBs on positioning we again turn to Figure 6.2. 
Here the right pane shows how the geometric state improves as each eNB is added with 
and without CeSAR. Without CeSAR, after the fifth eNB is made available the GDoP is 
actually less than one where the aforementioned implication about geometric concentration 
of precision applies. 

In traditional cellular networks one is limited to the GDoP offered by the existing geometry. 
However, one advantage of CeSAR is that the location of the CeSAR sensor can be chosen 
to minimize GDoP. The geometric advantage of CeSAR is again shown in the right pane of 
Figure 6.2. With CeSAR, the GDoP starts at one when N = 3 and continues to improve as 
N increases. 

To generalize the idea of GDoP beyond this specific use case we propose a notional model of 
three eNBs arranged as an isosceles triangle as in Figure 6.3. The eNBs are all approximately 
one kilometer apart. An area of one square kilometer, centered on the center of mass of 
the triangle, is chosen as an area reasonably served by all three eNBs. The geometry of the 
eNBs is systematically changed by lowering the base angle of the isosceles triangle (keeping 
the base distance constant). The GDoP is then sampled uniformly throughout the serving 




Figure 6.4. The maximum, minimum, and mean GDoP in a serving area of 
a collection of three serving eNBs is presented here. The eNBs are arranged 
in an isosceles triangle with the base edge approximately one kilometer long 
and with the base angle specified by the abscissa. Source: [21]. 

area and the results recorded in Figure 6.4. The regions of GDoP noted by [10] as having 
suboptimal geometries for positioning, according to the aforementioned rule of thumb, are 
shown in the figure. The maximum GDoP within the region quickly exceeds acceptable 
limits while the mean and minimum remain within acceptable limits throughout. This trend 
across statistics suggests that the more collinear eNBs are in the geometry, the worse the 
environment for positioning. We note that this study is conservative as the maximum values 
of GDoP remain on-axis with the triangle base and outside of the convex hull of the triangle 
which is not well represented by the serving area. 

These results suggest that, on average, the geometry of eNBs should not be unfavorable. 
While GDoP will always affect the accuracy of the position estimate, even with very severe 
collinear eNB geometry (such as that seen frequently in main thoroughfares like major 
highways), harsh GDoP effects may not be common. An interesting corollary is that 
because GDoP is only a function of the angles between the UE and eNBs (cf. (6.5)) the 
density of eNBs will not have an effect on the positioning accuracy. Therefore we should not 
expect that the recent move towards cell densification [68], as a means to increasing data 
throughput, will improve positioning performance purely vis-a-vis denser infrastructure 
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Figure 6.5. Geometric pathology in a two eNB positioning scenario 


geometry. 29 


6.3 Pathological Geometries 

The CRLB is only a meaningful lower bound if the estimate is unbiased [48]. However, the 
infrastrueture may be physieally organized sueh that an unbiased estimate is not possible. 
We eall this situation a pathological geometry. To understand this phenomenon, consider 
the positioning scenarios shown in Figure 6.5. In both figure panes a Monte Carlo study is 
conducted where there are two serving cNBs (N = 2) from which a target will be located. 
The distance estimate made from each eNB is corrupted by a normal error source. The 
axes are given in distance normalized by the standard deviation where cri = cr 2 . Since, in 
a two eNB scenario, it is equally as likely that the UE is on either side of the abscissa we 
restrict the solution space to points which lie above the x-axis. In the left pane, the UE to be 
located is almost directly in between the two eNBs. In the right pane, the UE to be located 
is offset by 5cr. By inspection of the resulting probability clouds, it is not hard to see that 
the geometry in the left pane is biased while the geometry in the right pane is not. 

This pathology arises from the fact that the CREB does not take symmetry into account 
which naturally arises in a two eNB scenario (i.e., it is equally likely that the position 
estimate is above or below the x-axis for a given set of distance estimates). The symmetry 

2®This section is revised from [21]. 
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is described in this scenario by the line y = 0, which we term the symmetry directrix. 
Symmetry of this sort can be dealt with by artificially restricting the solution space, as we 
have done in Figure 6.5. Not doing this dramatically increases the resulting error since if 
the position estimate on the wrong side of the directrix is chosen the error will be much 
larger. Therefore, regardless of whether the solution space is artificially restricted or not, 
the estimate will be biased. To see this, consider the pathological geometry in the left pane 
of Figure 6.5 and note that a significant number of position estimates lie approximately on 
the x-axis. This arises from the scenario where the sum of the distance estimates from the 
eNBs is less than the distance between the eNBs. Put another way, if the distance estimates 
were represented as circles centered on their respective eNBs, they would not intersect. It 
is clear that in this scenario the most likely position estimate will lie somewhere on the line 
connecting the two eNBs. In fact, for this scenario, this will happen approximately one-half 
of the time and is a significant source of bias. In contrast, when the target moves far enough 
away from the eNBs this bias disappears since the distance estimate circles will intersect 
the vast majority of the time. In this case the probability cloud that is generated looks as 
we would expect one to look that was generated from normal error. Alternatively, if a third 
eNB is included, the bias will also disappear since the third eNB will help adjudicate the 
position estimate in the direction orthogonal to the symmetry directrix. 

Bias will be introduced anytime a position estimate is found without sufficient information 
in each of the orthogonal bases for the coordinate system in use (seen in the left pane of 
Figure 6.5). For measurements with normally distributed error and two eNBs, this means 
the UE should be at least 3cr away from the directrix. The rule of thumb to avoid bias is 
less straightforward when N > 2 where numerical means can be used to estimate bias. 

6.4 The Probability Density of a Quantized Random Vari¬ 
able 

Quantization is sometimes regarded as a non-linear operation making analysis of the asso¬ 
ciated operations difficult. Here we review the work presented in [65] and highlight that 
quantization can be shown to be a linear injective operation in the RV signal space. This 
realization will justify use of the latent continuous distribution in a MLE. 
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First, consider a latent RV N whieh, has the speeifie probability density 

Pn{x) = J_ (6.8) 

y2ncr 

and eumulative distribution funetion 

Fyv(^)=o(^) (6.9) 

sueh that N has zero mean and some varianee cr. For eonvenienee, and due to the assumption 
that cr,' = cr V/, we hereafter use only <I>(.r) to represent the eumulative density of N. We 
define the speeifie distribution of N to simplify the diseussion of quantization on varianee 
(ef., Figure 6.6) although the analysis presented is applieable to other distributions. We will 
later show this ehoiee of a normal distribution is appropriate for TA-based positioning. 

Next, eonsider a quantization funetion Q sueh that Q : N ^ N' and the density of N' is 
given as 

PN'{x) = '^^an5{x - ht). ( 6 . 10 ) 

n 

Here we make use of the shorthand to represent the sum over all n e Z, d(-) to represent 
the Dirae delta funetion, and a to represent some appropriate sealing parameter. The 
relation in (6.10) ean be regarded as a quantized version of N with bins evenly spaced by r. 
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It is well-known that the quantization operation contributes to the overall noise of the 
resulting signal. This is represented by the convolution pu(x) with a uniform distribution 
Pu(x) with support 6 [-t/2, t/2]. As a first step in defining Q, consider the result of this 
convolution which is presented in detail in Appendix D 

Pu(x) *Pu(x) = - + tI2) -0(.r-T/2)] (6.11) 

T 

where 0(.r - if/) is the cumulative density of pu(x) shifted by some amount i/r. The second 
and final step taken in defining (3 is a multiplication of (6.11) with an impulsion train (Dirac 
comb) scaled by r, IIlT(.r), with periodicity r. This process is presented graphically in 
Figure 6.6. 


To verify that (6.10) follows, observe that 

t6{x - m) j- [0(jc -I- r/2) - <I)(.r - t/2)] = 

^ 6(x - nr) [0(nr -l- t/ 2) - 0(nT - t/2)] . 



( 6 . 12 ) 


Next, let 


(Xn = [0(nT -I- t/2) - 0(nT - t/2)] . (6.13) 

Finally, by substituting (6.13) into (6.12) we arrive at (6.10). 

To see the equivalency of Q to quantization consider (6.11) as the difference of two scaled 
cumulative densities (c.f.. Figure 6.6). The product of that density with a Dirac delta results 
in 


t6(x - xi) {pn(x) * pu(x)) =6(x - .ri)[0(jci -l- rjl) - (I)(jci - t/2)] 

fXl+T/2 


/ 

J X\ 


=S(x - xi) 

I xi-t/2 

--axi/rSix - Xl) 


PN{x)dx 


(6.14) 


where the Dirac delta represents a bin centered on .ri. The result of the product, given 
in (6.14), is exactly the quantization operation, shown in Figure 6.7, a direct result of the 
definition of a cumulative distribution function. 
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T 


Pn(x) 


XI 

Figure 6.7. The quantization of a normal RV with bin size r and bin centers 
xi + m is presented here. Adapted from [65]. 

Note that all steps taken in <3 are linear and thus also commute. Therefore, while the 
operation is indeed non-linear in the observation space (i.e., the result of a quantized 
observation cannot be undone), the operation is linear in signal space. This will be the 
subject of further discussion in a subsequent section. 

6.5 The Characteristic Function of Quantized Random 
Variable 

T 

Consider puix) <—> PuW which are related via the Fourier transform and define 
as the characteristic function (CF) of pu(x)- The Fourier equivalent steps that define the 
mapping of the CFs under Q is shown graphically in Figure 6.8 and given precisely by 
* Pjv((f>) ■ Pu{<P) which yields 

PN'ifp) = ^ - Innlr). (6.15) 

n 

Here A(0) is the result of the product of CFs Pn{ 4>) Pu{(p) explicitly given by 

-(<»cr)^ j (hr \ 

Pn{(P) ■ Pu{(p) = e 2 sine ^yj (6.16) 

20This section is revised from [29]. 
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where the product itself is trivial and the derivation of the exact CFs for Pn{ 4>) Pu{(p), 

given N is normal, can be found in Appendix E. Finally, we arrive at P^i^P) by performing 
the convolution 

TTT ^ N ^ ^ , N v'' "ct) ^ /(0 —2;rn/T)T 

lPi.2nlTi(p)*PNi(p)-Pu{(p) = Yj^ ^ Smcl^^- - - 

n ' 

By comparing (6.17) to (6.15) we can see that 

-{ipcT)^ ! (hr \ 

A{(p) = e 2 sine/—j (6.18) 

and the separation of An((p) is inversely proportional to r. To graphically show the effect of 
(3 in the Fourier domain, the A„(0) are shown in Figure 6.8 with dashed lines while their 
sum is shown with a boldface line. Also, the quantization operation in the Fourier domain 
is completely defined by linear operations, thus fully injective in the RV parameter space. 
Stated another way, given a quantized probability density function one is able to recover the 
latent probability density functional by reversing the above steps. The fact that quantization 
is injective in the RV parameter space in both domains is an important point that will be 
used to justify later statistical claims. 

note that certain conditions must be met in order for this to be true and are discussed later in this 

chapter. 

22This section is revised from [29]. 


(6.17) 
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X 


Figure 6.9. The cumulative density function of as r ^ 0 

6.6 The Effect of Quantization Bin Size 

Next we vary t to examine the effeet of the bin size on pwix) and We will later 

expand on these observations to explain the effect of t on the variance of N'. 


6.6.1 The Effect of Quantization Bin Size as r ^ 0 

To understand the effect of a decreasing r on (6.10) and (6.15) let t ^ 0 and let 

Fyv'(x) = Fr[N' < x] (6.19) 


so that F/^>(x) is the cumulative distribution function of N'. Using (6.10) and (6.13) we 
can define the cumulative distribution function explicitly as 


L^Jt 

Fwix) = ^ a„ 

n=—oo 

L^Jt 

= ^ [0(nT + t/2) - (t>{nT - t/2)] 


= o(UJ,) 


( 6 . 20 ) 
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where [-Jr is the floor operator taken with respeet to r. Next observe that 

lim O ([xJr) = 0(x) (6.21) 

r^O 

therefore the eumulative density of N' N as t ^ 0 sinee 

lim [jcJr = X. (6.22) 

T^O 

This eonvergenee in r ^ 0 of F/^>(x) F/^(x) is shown graphieally in Figure 6.9. It 

follows then that 

lim pu'(x) = pn(x). (6.23) 

r—>0 

From this relationship it is a trivial step to see that 

lim Pjv'((l>) = Pn{(P) (6.24) 

T—>0 
T 

sinee pn(x) <—> Pn((!>)■ To verify, eonsider PM'i<P) and note that as r ^ 0 the separation 
between Anicp) inereases to oo. Therefore, we ean say that 

lim PN’i.<P) = Ao(0) (6.25) 

T—>0 

and note that Ao(0) = Pn{<P) whieh verifies the relationship in (6.24). 

Another intuitive way of verifying this relationship is to note that as r ^ 0 we are no longer 
quantizing the latent RV. This view is eonsistent with (6.23) and (6.24). 

6.6.2 The Effect of Quantization Bin Size as r ^ oo 

To illuminate the effeet of an inereasing r on (6.10) and (6.15) eonsider the ease when 
T ^ oo. It ean be seen that 

lim pn’{x) = 6{x) (6.26) 

r—»co 

sinee as t ^ oo, ao ^ 1 and 0,'in 0. Note that as t ^ oo the eenter bin extends 

to eover all of and thus the output of the quantizer is deterministie. To see this, eonsider 
(6.13). Here the differenee of [0(nT + t/2) - 0(nT - t/2)] ^ 1 sinee the integral in (6.14) 
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-6 -4 -2 0 2 4 6 

0 


Figure 6.10. The CF as r ^ oo 


as T ^ oo for n = 0 is 


lim 

T—>00 


priT+rll 

/ pj^{x)dx 

J tlT—T 


r/2 


n=Q 



p/^(x)dx = 1 


Conversely, "in 0 the limit is 


lim 

T—^OO 


pht+tII 

JnT-Tl2 


PM{x)dx 


ni=0 


PM{x)dx 



p^(x)dx = 0. 


(6.27) 


(6.28) 


Note that this relationship ean be extended to any probability density funetion sinee Pr[x < 
oo] = 1, Pr[jc < -oo] = 0 for any RV X, and sinee the CDF is monotonie. 


Similarly, let r ^ oo for PatK^)- This time the separation between A„_i and will go to 
0 whieh follows from the limit of In/x as t ^ oo. Because is the sum over all n 

we find 

lim Pn'{(P) = 1 (6.29) 

T—>00 

which is verified numerically in Figure 6.10. Here we find that the limit is reached quite 
quickly at around lOcr. Note also that Vr, P/^'(0) = 1 satisfying the requirement that 
LPNdx)dx = 1 . 
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The result in (6.29) can be verified by taking the Fourier transform of (6.26) 

6(x) M 1 (6.30) 

T 

which follows from the requirement that pw(x) Pn Vr. Therefore, the Fourier 
pairs must agree at all extrema of 


6.7 The Variance of a Quantized Random Variable 

Recall that the k* moment can be derived from the CF via the relationship [65] 

We proceed from (6.31) with the CF in (6.15) and the definition (6.8). Note that because (6.8) 
is zero mean, then the case where k = 2 is equivalent to the variance (i.e., = cr^). 

Rather than derive a closed form solution for (6.31) we use the relationships derived in the 
previous section for the CF at extrema of r in order to investigate the effect of r on E{N'^}. 


Consider first the case when r = 0 such that (6.24) applies. Using (6.31) it is easy to 
verify that = E{? 7 ^} since (6.23) and (6.24) hold. The result is also found directly in 

Appendix E through evaluating (6.31). Now let r = 6 where e is some positive, arbitrarily 
small number. Since e is small it is not necessary to consider any A„(^ - Inn/r) where 
n 0. This follows from the fact that the term when n = 1 is found at In/e. If e is 
sufficiently small then this value of this term at zero will effectively be zero. This result is 
proven in Appendix E. With this in mind, and for sufficiently small e, the variance of N' is 
found via 


E{N'^} = - 


dcfP- 


<^=o 


(6.32) 


^^Section 6.6 is revised from [29]. 
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Using the product rule, the derivative can be evaluated as 


d(p^ 

Pui(p)-^PNi(p) + ^PuWPNicp) (6-33) 

+ '^^Pu{(P)^Pn{(P)- 


Notice that when evaluated at 0 = 0 the first and second derivatives of Pn{4>) ^re 0 and 
-cr^ respectively. Also, note that Pu{0) = Pn(9) = 1- After applying these observations 
and distributing the negative sign we can simplify (6.33) to 


d^Ao((f>) _ 2 u 

^ d(f)2 u 


(6.34) 


This derivation is made more rigorous in Appendix E. Since Pu{(t>) is concave down Vt > 0 
at 0 = 0 we have that 


E{N^} < E{N'^} 


(6.35) 


where the inequality is strict for a sufficiently small and non-negative 


Next consider the case when r = oo. Recall from (6.29) that Pu((f>) = 1. It can be verified 
that the second derivative is 0 for 0 = 0. This result is found explicitly in Appendix E. 
Thus, when r is very large the variance of N' becomes very small such that the inequality 
in (6.35) is reversed for a sufficiently large r. 


This behavior of the variance as r ^ oo requires that Illr(.’c) is not shifted relative to the 
mean of N. In other words, ^ = 0 for IIIr(.^ - <A) iii <3- The difference in pwi^c) is shown 
in Eigure 6.11 for ^ = 0 (left pane) and if/ = t/2 (right pane). Subsequently, we will show 
that these values of if/ are particularly important when evaluating the extrema of ElAf'^}. 

34The value of the second term in (6.34) can be calculated to a high degree of accuracy using Sheppard’s 
corrections [69] when t < cr [65]. 
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(a) (b) 

Figure 6.11. The difference in pu'(x) for the extrema of the shift factor if/ 


To continue the analysis, eonsider when if/ = rfl sueh that 

Pm'{x\^%=tI2 = Xi -riT-if/) = ^ a„,r/2 S(x - 3nTf2) (6.36) 

n il^=rl2 n 

and again let t ^ oo. In this ease, we ean approximate 

\\mpf^'ix\if/) =]-6ix + Tf2) + ]-6{x-Tf2). (6.37) 

(A = t/2 2 2 

The proof for this result is given in Appendix E. 

By inspeetion of (6.37), it follows then that as r ^ oo, EfAf'^} ^ oo. It ean be shown that 
as if/ inereases (or deereases) from = t/2 for a eonstant t where if/ 6 [0, t], the seeond 
moment of N' returns to zero. It ean further be shown that these varianee maxima oeeur 
for values of if/ = kr + Tf2 whieh have eorresponding minima at if/ = kr for k £ Z. Eor 
suffieiently large r the seeond moment then exhibits periodie behavior with period r. The 
proof for these results are given in Appendix E. 

Having established that EfAf'^} is periodie in if/, let 

E{N'^} = I3f{if/,T) + C (6.38) 
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Source: [29]. 


presented. 


where / (■) is a funetion whieh is periodie in i/r with period r. The amplitude of /(■) is /3 and 
has offset C. It will subsequently be useful to determine the r for whieh EjA/"^} < C - /3/2 
(i.e., the value at which the variance of the quantized RV is guaranteed to be larger than 
the variance of the latent RV Vi/r, EjA/"^} < E{N'^}). To find this range let ifr = 0, which 
we have previously seen, is the minimum of (6.32). To make calculations more tractable 
we only consider n e {-1,0,1} in (6.10). Because this function is even, the value of 
a_i = ai = <I>(-t/2). The desired bound on the variance of this probability mass can then 
be shown to be (cf. Appendix G) 


2r20(-T/2) < (6.39) 

where equality holds when r « 3.4cr. Thus, we state that r < 3.4cr is a necessary and 
sufficient condition such that the inequality in (6.35) holds V(/f. 

To better illustrate the relationship between if/ and E{N'^} consider Eigure 6.12. Here the 
shape of (6.38) is shown for various values of r when if/ 6 [0, t]. Both if/ and the variance 
have been normalized such that it is easier to compare the effect of r and if/. Eirst, note that 
as T increases the amplitude p also increases. As previously calculated, (6.38) always stays 
above cr^y for r < 3.4cr. As t increases beyond this bound then the minimum value of the 
variance may drop below cr^y for certain if/. Second, note that for sufficiently small r (e.g.. 
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T < cr in this study) the observed varianee of N' is very elose to the eorreeted varianee 
of N whieh agrees with Sheppard’s famous eorreetions [69]. However, as r grows above 
cr the eorreetion beeomes less aeeurate. As the trend in the Figure 6.12 suggests, and the 
analysis has shown, for larger r the minimum of (6.38) will eventually reaeh zero and the 
maximum will grow to infinity. 

6.8 Information Loss in a Quantized Random Variable 

Here, following [65], we invoke the analogy of traditional sampling theory and the Nyquist 
rate in order to investigate injectivity in Af Q{N). Recall that when sampling a signal, 
the sampled output is considered representative of the input continuous-time signal if and 
only if the sampling rate is greater than or equal to twice the highest frequency in the 
continuous-time signal. If this condition is met we may say that the sampling operation is 
injective. Stated another way, if the former condition is met, we may perfectly recover the 
continuous-time signal from the sampled representation because the sampled representation 
contains all of the information of the original signal. 

Notice the similarity between sampling and quantization. The connection is illustrated by 
the second step in defining Q which involved multiplication of a scaled impulsion train 
IIIt-(jc) with the convolved latent density. If our goal is to recover the latent density 
then the conditions necessary and sufficient for said recovery is of interest. Widrow’s 
First Quantization Theorem (QTl) states that if a RV is bandlimited^® by ±n/T then the 
distribution and CF of the latent RV can be perfectly recovered [70]. The implications of this 
theorem are far reaching, however, many real-world RVs are not bandlimited. For instance, 
the normal RV is an example of an extremely common RV whose CF has infinite support. 
Thankfully, Widrow also noticed this difficulty and showed in his Second Quantization 
Theorem (QT2) that an approximately bandlimited RV (relative to the bin size r) can 
also be recovered with high fidelity [70]. The recovery of moments is closely related to 
Sheppard’s correction, which is shown here for the second moment [69] 

E{;72}=E{77'2}--. (6.40) 

^^This section is revised from [29]. 

3®Widrow uses the term “bandlimited” to define the case when a CF has finite support [65]. 
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Widrow offers r < cr as a rule of thumb to define the eondition neeessary to satisfy 
QT2 [65]. The efheaey of this rule of thumb is verified by inspeetion of Figure 6.12.3’ 

6.9 A Lower Bound for the Variance of a Quantized Ran¬ 
dom Variable 

ffere, we invoke the CRLB (ef. (6.1)) to show it as an appropriate lower bound for a 
quantized RV. 

Theorem 1: For a latent RV, parameterized by 9 

Vdseip} > CRLBe, r 6 [0, 3Ao-] (6.41) 

where p is an unbiased estimator of theta which uses quantized observations of the RV to 
estimate 6. 

Proof: Consider the RV N whieh is then quantized with bin size r and if = 0. If we 
let T ^ 0 then the relationships (6.24) and (6.23) apply and the proposition beeomes the 
standard CRLB. 

Next, as t inereases from zero (6.10) ean also be seen as a sum of shifted and sealed 
Bernoulli “pseudo-distributions”. We note that eaeh of the pseudo-distributions is not 
a true distribution sinee the resulting sum must satisfy J^PN'(x)dx = 1 and therefore 
0 < J^pa„(x)dx < 1 Vn where Pa„(x) is the n* pseudo-distribution. 

Next, reeall that the Fisher information of a Bernoulli RV is given by I(p) = where 
cr^ is the varianee of a Bernoulli RV. Therefore the Fisher information of the quantized RV 
is given by 

I(x') = J]ln(p) = J]a-^ (6.42) 

n n 

where d-^ is the pseudo-varianee of the n* Bernoulli pseudo-distribution. 

Now we have already shown, and Sheppard’s eorreetion for the seeond moment (6.40) 
^’This section is revised from [29]. 
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Figure 6.13. The variance of a MLE of a quantized RV parameterized by r 
is presented for two different offsets ifj. Source: [29]. 

verifies (c.f. also Figure 6.12), that for small r the following will hold 



(6.43) 


n 


Stated another way, the variance of the quantized signal must not be smaller than that of 
the latent signal. Therefore, the Fisher information of the observed RV will not be larger 
than the Fisher information of the latent RV and the inequality in the theorem will be strict. 
Similarly, we have shown that the variance of the observed RV will be greater than the 
original for r < 3.4cr so the proposed bound will hold for r 6 [0, ~ 3.4cr), V^. ■ 

To verify the theorem is valid consider a normal RV Aff/i, cr^) which is quantized and 
the parameter to be estimated is the mean, /r. We show the results of a numerical study 
in Figure 6.13 in which we estimate /i via the standard maximum-likelihood method for 
various bin sizes, r. It can be seen that for any shift in the bins (i.e., Vi/f) that the resulting 
RMSE lies above the CRLB for t < 3.4cr which supports Theorem 1. Conversely, for 
values of T > 3.4cr, the results shown in Figure 6.13 demonstrate that CRLB will not be 
appropriate V^. Thus, without a priori knowledge of the exact annular offset if/, the a lower 
bound cannot be realized. 

Note that for smaller relative values of r (e.g., r 6 [0, cr)) the deviation from the latent RV 


68 








variance is minimal. Thus, it will be that the bound presented in Theorem 1 is not striet and 
an effieient estimator will aehieve the lower bound. In other eases where r is larger and the 
quantized varianee deviates from the latent varianee, an effieient estimator will not meet 
the lower bound as defined by the latent varianee and the inequality in the theorem will be 
striet. However, for smaller r the deviation of the quantized RV varianee from the latent RV 
varianee ean be ealeulated with a high degree of fidelity via Sheppard’s eorreetion (6.40). 
Thus, the bound ean be adjusted in this manner to show a tighter lower bound for larger r 
and evaluate the effieieney of estimators. 


3®This section is revised from [29]. 
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CHAPTER 7: 

The Timing Advance as a Quantized Random 

Variable 


In this section, we describe the TA as a quantized RV and compare the current RV with 
that of a legacy cellular protocol. We then derive a MLE and lower bound for the TA-based 
position estimate through showing that the LTE TA satisfies the requirements of Theorem 1. 


7.1 Spatial Quantization in Cellular Networks 

It is not difficult to see that the TA is a quantized RV. Eirst, the base station must make 
a distance estimate based on the time of arrival of a UE’s uplink frame which we model 
as a normal RV. The assumption of normality associated with this phenomenon is well 
accepted in the literature [7], [10]. Next, the eNB must determine if the measured distance 
necessitates adjustment to the UE’s timing. Because the base station can only affect timing 
adjustment in discrete units, the timing mismatch must be greater than r/c in order for 
an adjustment to be issued. Hence, the TA can be seen as quantizing the UE’s distance 
from the serving eNB to the nearest multiple of r as in Eigure 7.1. Recall that, in ETE, 
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T = 78.125 m (cf. (4.4)). 


The quantization scheme depicted in Figure 7.1 is also applicable to GSM where r = 
550 m [40]. The difference in quantile size for GSM and LTE can be attributed to tighter 
timing alignment required in LTE in order to support higher data rates. To highlight how 
the change in quantile size from GSM to LTE affects the statistics of the problem, let first 
(Tbts ~ o-eNB = cr. In other words, let the latent RV associated with the eNB(BTS) error 
estimation of the UE distance be approximately the same. Let cr = 50 m following our 
review of field measurements in Chapter 4. Next, recall that the lower bound associated 
with a quantized RV is the CRLB as long as r < 3.4cr (cf. Theorem 1). 

Eor LTE this condition holds since 


tlte ~ 1.56cr. (7.1) 

This assures that there is a finite lower bound on the measurement error and that the error 
will be approximately independent from the annular offset, if/. 

Conversely, in GSM the condition does not hold since 


tg5M = 11o-. (7.2) 

Thus, the performance of the position estimate will be highly dependent on if/. This 
means that if the target UE is a favorable distance away from the BTS (i.e., d = nr so 
that if/ = 0) then the variance of the position estimate will go to zero as r ^ oo (cf. 
Eigure 6.13). Alternatively, if the target UE is not a favorable distance away from the BTS 
(i.e., d = tiT + t/I so that if/ = t/2) then the variance of the position estimate will become 
very large as r ^ oo (cf. Eigure 6.13). 

Therefore, the tighter timing alignment in LTE marks a significant change in how the 
TA can be used for positioning. In LTE the TA can be used with relatively consistent 
results. Conversely, the performance associated with TA-based positioning in GSM will 
vary significantly since if/ is generally not known a priori. 
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7.2 A Maximum Likelihood Estimate and Lower Bound 
for Timing Advance Positioning 

In order to derive a MLE for a UE position we must first characterize the distribution of 
error after quantization pu'(x) which is shown in Eigure 6.6 and given in (6.10). However, 
we have shown in (6.37) that the shape of the density is parameterized by i]/. Despite this 
fact, we will further show that it is also appropriate to model all possible with a 

single density that is independent of if/. 

To begin, let if/) be the joint density of the error in the distance estimate and annular 

offset if/. Next, let pw(x) be a normal marginal density of p^>(x,if/). Recall, that this 
choice of a distribution models the continuous error associated with distance measurement 
and is widely accepted in the literature [7], [10]. To arrive at p/^>(x\if/), contrast the effect 
on I11t-(jc - if/) of when a UE is positioned in the center of a TA annulus (if/ = 0) with when 
a UE is on a TA boundary (if/ = Tfl) which is shown in Eigure 6.11. Upon inspection, 
it appears that pu'(x) and p^(if/) should be dependent since the shape of p/^'(x\if/) is 
completely dependent on if/. However, it has been shown that if the conditions of QTl or 
QT2 are satisfied then pm'(x) and pwiiff) are, in fact, independent [71], [72]. 

The implications of this paradoxical independence on the TA as a RV is that regardless 
of where the UE is located within a TA annulus, the error can be modeled with the same 
density assuming the conditions of QTl or QT2 can be met. This is an important fact 
to establish in order to make an MEE which is independent of if/ tractable. It is obvious 
that neither tqsm or tlje meet QTl since the latent, unquantized, RV (Gaussian) is not 
bandlimited. Eortunately, QT2 only requires approximate bandlimitation. It can be seen 
from (7.2) that GSM does not satisfy QT2. However, from (7.1) it can be seen that ETE 
does satisfy QT2. 

Thus, in addition to providing consistent results from TA-based positioning, the tighter 
timing alignment in ETE also allows us to formulate a MEE independent of if/ allowing for 
tractable analysis and making a closed form solution possible. 

To see this consider the joint density presented in the left pane of Eigure 7.2. When the 
joint density is rotated such that the if/ dimension is not visible, as in the right panel, one 
can observe the latent normal density. If the value of if/ is completely unknown it would be 
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X/fT 


{a) PN'{x,il/) [h) pM'{x) 

Figure 7.2. The joint and marginal density of the error associated with 
TA-based positioning is presented. Adapted from [29]. 



(7.3) 


(7.4) 


therefore pu'(x) ~ N(0, cr^) regardless of the shape of P'f(<A). 

Having established = p/^'(x), we can now formulate the MLE for a set of single 

distance measurements d = [di, d 2 ,..(InV from N distinct eNBs as 


p = argmaxp(rf|d) (7.5) 

p 

where p = [x, y]^ is the position estimate and d = [d\, d 2 ,..d^]^ is a vector of true 
distances such that di = d + N'. The solution to this program for normally distributed 
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measurement error is well-known as [10] 


N 

E 

i=\ 


(di - di)(x - Xi) 
(T^d; 


0 


(7.6) 


N 

E 

i=\ 


(dj - di)(y - yj) 
cr^d; 


= 0 . 


(7.7) 


Solving (7.6) and (7.7) directly involves an exhaustive search in p. However, numerical 
solutions have been proposed that have been shown to be statistically efficient (e.g., [31]). 
A further difficulty of (7.6) and (7.7) is that they depend on the true distance estimate di 
which is obviously not known a priori. 

Here, we adopt two methods for approximating the solution to (7.6) and (7.7). In the first 
approach we approximate the MLE as [73] 


N 

p = arg min V (di - I Ip - p, 11)' 
P ,=i 


(7.8) 


where p,- = {xi, piY is the position of the Y eNB. The sum can easily be extended to include 
a CeSAR measurement by 


2 ^ 

p = arg min (d'- || p - p' ||) -t V (i/- || p - p/ 
P ti 


(7.9) 


where p' = [x', y'Y is the position of the CeSAR sensor. 


In this way, each term in the sum represents the squared residual error associated with each 
position in p given the distance measurements d. The p which minimizes the sum of the 
squared residuals is taken as the position estimate p. This approximation will be valid only 
for the case where each cr,- = cr, V/ and is thus a necessary condition. This is a well-known 
technique which is widely accepted, especially in the case where the error cannot be exactly 
parameterized by a probability distribution [10]. Note that (7.8) and (7.9) do not depend 
on any di thus removing a significant obstacle associated with (7.6) and (7.7); however, the 
solution to (7.8) and (7.9) cannot be found in closed form. Instead, numerical means must 
be leveraged which can still be computationally expensive [10]. 
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The second solution we leverage takes more of a brute force approach which trades compu¬ 
tational complexity for a solution which is not nuanced by idiosyncrasies associated with 
more complex approximate methods (e.g., the non-linear solver associated with the numer¬ 
ical solution to (7.8)). This solution first computes a single error surface over the tracking 
area. Assuming each measurement to be independent of the next it can be defined by 

N 

P(rf|p) = ]~[p(^(/IP)- (7.10) 

i=l 

An optional equivalent surface, relative to the solution of (7.6) and (7.7), which may be 
more convenient can be expressed as 


N 

p(rf|p) = ^logp(i/|p) (7.11) 

i=l 

where p(rf|p) is known as the log-likelihood function of d. The sum in (7.11) can be 
extended to include a CeSAR measurement so that 

N 

p(rf|p) = logp(j'lp) -t ^logp(J/|p). (7.12) 

i=l 

Because the value at each point in the error surface must be computed individually, the 
surface necessarily will have some granularity which can be thought of as sampling. The 
granularity will vary inversely with the computational load. Thus, the higher the resolution 
of the surface, the higher the computational load. This surface is then exhaustively searched 
for the global maximum. A second surface, with a higher resolution and smaller area, is 
then calculated around this global maximum in order to refine the estimate. The global 
maximum on the second surface is then taken as 

p = argmaxp(rflp). (7.13) 

p 

This method, while computationally costly, will later be shown to be efficient in the sense 
of the lower bound derived in Chapter 7 while, similar to (7.8), not being dependent on any 
di. 
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A difficulty associated with each of these solutions is that a valid starting point must be used 
in order to avoid the local maximum trap. Therefore, we assume an a priori knowledge of 
the general target location such that the local maximum trap is avoided. In order to highlight 
more relevant points in the results and avoid sources of error associated with local maxima 
we initialize each solution with the true location of the UE. We recognize this artificiality 
in the experimentation while also noting that optimization of difficult objectives with local 
maxima is a well-traveled subject in the literature and not the focus of our research. 

Finally, because the p generated in this way are not exact, we hereafter refer to solutions 
made via one of the two aforementioned methods as the approximate-MLE (AMEE). 
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CHAPTER 8: 
Results 


In this chapter, we present results that support the previous analysis and describe the perfor¬ 
mance of TA-based positioning with and without CeSAR augmentation. Furthermore, the 
ability of CeSAR to mitigate geometric weaknesses in the network infrastructure is demon¬ 
strated. We first show the accuracy of TA-based positioning and CeSAR augmentation in 
various scenarios using synthetic and empirical data. Next, we show the MLE to be an 
efficient estimator in the context of the lower bound derived in Chapter 7. 

The results presented herein have been largely previously published (or are submitted for 
publication) [21], [24], [28], [29]. Specifically, Section 8.1.1 is revised from “Cellular 
Synchronization Assisted Refinement (CeSAR): A Method for Accurate Geolocation in 
LTE-A Networks” by John Roth, Murali Tummala, and James Scrofani published in the 
proceedings of the 49* Hawaii International Conference on System Sciences in January 
2016 [24]. Section 8.1.2 is revised from “Eocation Privacy in ETE: A Case Study on 
Exploiting the Cellular Signaling Plane’s Timing Advance” by John Roth, Murali Tummala, 
John McEachen, and James Scrofani to be published in the proceedings of the Hawaii 
International Conference on System Sciences in January 2017 [28]. Section 8.3.2 is revised 
from “On Eocation Privacy in ETE” by John Roth, Murali Tummala, John McEachen, and 
James Scrofani which has been submitted for publication [29]. 

8.1 Accuracy of Timing Advanced-Based Positioning 

In this section, we use synthetic and empirical data to examine the achievable accuracy 
associated with TA-based positioning and CeSAR augmentation. 

8.1.1 Synthetic Results 

Eirst, using only synthetically generated measurements we evaluate performance in several 
scenarios of interest. Specifically, we investigate performance in legacy deployments, 
handover scenarios, and in heterogeneous networks. When CeSAR is included, no error is 
assumed in the CeSAR measurement and the most central point on the refined locus is used 
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Figure 8.1. Results of positioning with synthetic data in a legacy network 
deployment is presented. The refined estimate is the result of CeSAR aug¬ 
mentation. Source: [24]. 

as the position estimate. When CeSAR is not used, the centroid of the locus is used as the 
position estimate. Additionally, sectoring of the serving cell is not assumed in any study. 
Excerpts from this section are taken from [24]. 

Legacy Deployments 

First, we present results in several different scenarios realized with entirely synthetic mea¬ 
surements. In this section, TA error is modeled as uniform'I/ ~ [-78.125/2m,78.125/2m] 
and the target and sensor are randomly placed throughout the coverage area (max distance 
« 500 m) such that the distance from the PCell is uniform as is the angle from the abscissa. 
It additionally imposed that the sensor-UE distance is > 78.125 m. The first study uses only 
one serving eNB (PCell) in order to model performance in legacy ETE networks. When a 
position estimate is made with TA data only p is chosen randomly inside the TA annulus 
such that the polar angle is uniformly distributed 6 [0, 2n) and annular offset ifj is uniformly 
distributed 6 [tit - Tjl, m -l- t/2]. The results are presented via a cumulative distribution 
of errors in Figure 8.1. 

The low performance in this technique can be explained by the high degree of uncertainty 
offered by a large locus. Small errors are representative of scenarios when the TA quantity is 
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small (i.e., the UE is physically close to the eNB) or in the unlikely scenario that the estimated 
position is chosen very near to the actual target location. Large errors are accounted for 
by large TA values (i.e., the UE is near or on the cell boundary) and when the estimated 
position is chosen on the opposite side of the annulus as the true target location. Of special 
note is this curve’s very uniform appearance with the slight non-uniformity accounted for 
by the non-linear shape of the locus. 

The second curve presented in Eigure 8.1 contrasts the performance improvements that can 
be realized through CeSAR. This curve presents in much more of an exponential distribution, 
shifting the preponderance of errors to much lower values. Here, CeSAR results in 254 m 
improvement in the circular error probable (CEP) 70% metric. 

Despite significant improvement from the former method, notable large errors are still 
present. These large errors are realized when the intersection between the circle and annulus 
results in two separate line segments (disjoint locus) and the estimated target location is 
on the opposite segment from the actual target location. Again, larger TAs result in the 
potential for larger errors, thus cell size can be linked to accuracy. 

Handover Scenarios 

In the next study, still in keeping with legacy network deployments, we investigate the 
performance of TA-based positioning during handover events. The handover scenario is 
particularly interesting since two TAs are issued from neighboring eNBs to the same UE 
within close succession of each other thus providing additional information when forming 
the system of equations used to generate a position estimate. 

Eor this study, we assume that the UE is located on the cell boundary between two eNBs as 
defined by Nip-cb, cr^i,) where CTcb = 70 m and jicb is the exact cell boundary. This model 
is used in order to take into account the fact that handovers do not always happen precisely 
at cell boundaries. The value of CTcb = 70 m is chosen to be slightly larger than measured 
errors in eNB distance measurements (cf. Chapter 4). 

As can be seen in Eigure 8.2, we see a significant improvement in performance both with and 
without CeSAR from the previous scenario. This improvement is directly attributable to the 
extra positioning information associated with the second eNB. When this extra information 
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Figure 8.2. Results of positioning with synthetic data in handover scenarios 
is presented. The refined handover is the result of CeSAR augmentation. 
Source: [24]. 

is augmented by CeSAR the improvement beeomes even more dramatie. The CEP 70% 
is 200 m without CeSAR and 41 m with CeSAR. Most notable, however, is the large 
improvement afforded by the extra information assoeiated with the seeond eNB. 

Heterogeneous Deployments 

Motivated by the results realized in the previous seetion by ineluding a TA from one 
additional eNB, we investigate the aehievable performanee possible in heterogeneous de¬ 
ployments. Reeall (ef. Chapter 4) that LTE release 1 l-i- deployments may inelude physieally 
disparate eNBs known as SCells whieh simultaneously provide serviee to a single UE. Be- 
eause there is no requirement that the eNBs are near eaeh other, eaeh eNB is responsible 
for maintaining timing alignment with the UE by issuing separate TAs attributable to the 
respeetive PCell or SCells via the TAG [50], [54]. 

In order to model this type of deployment, the sensor and UE loeations are randomly ehosen 
as before. The first SCells positions are ehosen with distribution Af (//[/£, cr^^) where 
Hue = [xuE, UueV U the loeation of the UE randomly ehosen a priori and crhn = 200 m. 
This model is adopted in order to add realism to the simulation sinee UEs are more likely 
to be assoeiated with SCells which are nearby. Additionally, the SCells will likely have a 
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Figure 8.3. The results of positioning with synthetic measurements within 
a heterogeneous network deployment is presented when one to four SCells 
are configured along with the PCell. The results in the left pane are from 
TA-only positioning while those in the right pane are CeSAR augmented. 
Source: [24]. 


smaller coverage area represented by crhn- The results of varying the number of configured 
SCells from one to four is presented in Figure 8.3 without CeSAR in the left pane and 
with CeSAR in the right pane. A maximum of four SCells is considered since that is the 
maximum number of SCells the standard is designed to support (cf. Figure 4.2). 

In the case of TA-only positioning the CEP 70% ranges from 39.7 m with one SCell 
configured and 23.5 m with four SCells configured. For CeSAR augmented positioning the 
CEP 70% ranges from 32 m with one SCell configured to 14 m with four SCells configured. 
Eor both regular and CeSAR augmented TA-based positioning, this marks a significant 
improvement from single eNB legacy networks. We also see that CeSAR continues to 
deliver performance gains even in deployments with many serving eNBs although the 
magnitude of the performance gains are on the order of 10 m as opposed to legacy networks 
where the improvement could be as large as 150 m. Einally, of note is the difference in the 
shape of the error distribution between CeSAR augmented and TA-only positioning. The 
CeSAR augmented errors appear approximately exponential while those that result from 
TA-only positioning have a Rayleigh-like shape. Thus, CeSAR augmentation will realize 
more small errors than the TA-only option. 
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Summary of Synthetic Results 

In legacy single PCell deployments with no cell sectoring we found that the CEP 70% 
accuracy was 412 m when only the TA was used for localization. When the position 
estimate was made during a handover scenario, the TA-only accuracy improved to 200 m 
CEP 70%. Einally, in heterogeneous networks that accuracy further improved to 39.7 m - 
23.5 m for one to four SCells configured respectively. 

With CeSAR augmentation, we have demonstrated that, in non-sectored cells, a user could 
be reliably located during normal legacy intra-cell mobility management to within 158 m, a 
254 m improvement over TA-only positioning. Inter-cell mobility management showed an 
accuracy of 41 m, an improvement from TA-only positioning of around 159 m. In advanced 
heterogeneous ETE deployments the multiplicity of TAs issued to a target UE improve 
positioning accuracy dramatically. Here, CeSAR can deliver excellent performance on the 
order of 14 meters although the performance gains are not as significant as in legacy network 
scenarios. 

8.1.2 Empirical Results 

In this section, we present two case studies conducted in Monterey, CA in existing ETE 
network deployments. In both cases, real-world TA data observed in the network are used 
and the position estimate is made offline. Both scenarios, depicted in Eigure 8.4, include two 
actual serving eNBs and a notional sensor if CeSAR augmentation is used. In both cases, 
the track taken by the UE is shown alongside the infrastructure. Scenario A (cf. Eigure 8.4, 
left pane) includes a UE track that is 277 m long and includes 73 recorded TAs in the 700 
MHz and 2000 MHz bands. Scenario B (cf. Eigure 8.4, right pane) includes a UE track 
that is 830 m long and includes 323 recorded TAs in the 700 MHz, 1900 MHz, and 2000 
MHz bands. Both scenarios are conducted in suburban settings free from major physical 
obstructions like skyscrapers or other dense urban clutter. Also, in both scenarios, the UE 
is traveling at « 50 km/hr. In the event that CeSAR augmentation is used, a notional sensor 
is included as in Eigure 8.4. CeSAR measurements are modeled with normal zero-mean 
error with ctc = 20 m. In both scenarios, the position estimate is calculated via the AMEE 
in (7.8) or (7.9). 

39This section has been revised from [24]. 
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Figure 8.4. The infrastructure and tracks used in two case studies conducted 
in Monterey, CA is presented. Source: [28]. 


At the time of this study, the tested network did not support physically disparate carrier 
aggregation. Therefore, simultaneous TA issuance was simulated in the field by locking a 
field test phone to one eNB, driving the track depicted in Figure 8.4, then locking the phone 
to a neighboring tower and driving the track again. TAs were elicited and the phone was 
kept in the RRC CONNECTED state by continuously sending ping requests throughout the test 
drive. 


The results of the above two scenarios are shown in Figure 8.5. In terms of CEP 70%, 
scenario A was accurate to 240 m and scenario B was accurate to 295 m. In both scenarios, 
CeSAR augmentation improved positioning accuracy. The CEP 70% metrics improved after 
augmentation to 95 m and 157 m respectively. In both scenarios, results roughly matched 
the positioning accuracy predicted in simulation during a handover scenario above. This 
is remarkable, especially given that the network performance was stretched by forcing a 
connection with a certain eNB while traveling outside of its normal coverage area. 

This study corroborated previous simulation performance in handover scenarios in an 
existing LTE network in Monterey, CA. Moreover, real-world data were used to present a 
realistic picture of the accuracy possible with TA-only and CeSAR augmented positioning. 
CeSAR augmentation was further validated by demonstrating performance enhancements 
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(b) 


Figure 8.5. Positioning performance achieved during the case studies per¬ 
formed in actual network deployments in Monterey, CA. Source: [28]. 


of around 150 


8.2 Empirical CeSAR Validation 

In this section, we evaluate the performance of CeSAR in terms of CEP with data exclusively 
collected during experimentation. As before, TA data are collected from a nearby serving 
eNB and processed in accordance with the aforementioned precepts. The main contribution 
of this experiment is to introduce real-world CeSAR data. 

8.2.1 Experimental CeSAR Setup 

As depicted in Figure 8.6, all steps of the CeSAR method are tested with the exception 
of sensor-network synchronization which is assumed a priori. The observation of TAs is 
conducted as before with a field test phone. Observation of uplink bursts is conducted 
on-site in SDR. Finally, the sensor-UE distance estimate is made as before in the MFE with 
the assumption that the CeSAR error is normally distributed. 

Of these steps, observation of uplink bursts is the most involved and represents the most 
significant contribution made by this experiment, which separates it from previous experi¬ 
mentation where CeSAR ranging data are synthesized. The sensor hardware implementation 

"^oThis section has been revised from [28]. 
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Figure 8.6. The CeSAR algorithm in field experimentation 


is as presented in Seetion 5.2 (ef. Figure 5.2) and the overall system setup is as shown in 
Figure 8.7. A single USRP was used to transmit and receive a simulated UE uplink frame. 
The time-of-fiight of the frame was measured and used to estimate the sensor-UE distance. 
The transmit antenna was placed in the transmit location and the USRP was collocated 
with the receive antenna at the receive location. The transmit antenna was connected to the 
USRP via a 150 m coaxial cable. Additionally, several amplifiers were used in the system 
to overcome losses associated with propagation along the coaxial cable and through free 
space. The link budget, along with a detailed system diagram is given in Appendix H. 

A single USRP with synchronized TX/RX chains was used due to difficulties associated 
with synchronizing physically disparate USRPs. When synchronizing USRPs via GPS 
disciplined oscillators the best achievable synchronization had a standard deviation of 
« 40 /iS. This magnitude of synchronization mismatch translated to 12 km and was judged 
untenable for the application. Conversely, synchronization among TX/RX chains resident 
on the same SDR daughterboard resulted in errors of no more than 40 ns. Thus, intra-device 
synchronization was used. 



Figure 8.7. The experimental CeSAR system setup 
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To Scale 



Figure 8.8. The field CeSAR test site depicted above is located in Mon¬ 
terey, CA. Distances inside the dashed box are drawn to scale; however, the 
relationship of the eNB to the local test site is not. 

The time-of-flight calculation was made by transmitting a binary phase-shift keyed (BPSK) 
pseudo-noise (PN) sequence and matched filtering the received signal. The PN sequence 
was generated by a Galois linear feedback shift register (LFSR) of order 12 (4095 chips 
long). This length was chosen as a trade-off between maximizing the processing gain 
and minimizing the processing time. The signal was generated with the GNU Radio 
software platform^ k While an uplink frame in LTE would be modulated by orthogonal 
frequency-division multiplexing (OFDM), the choice of BPSK modulation can be seen as a 
conservative choice when estimating performance since it will be more affected in a fading 
channel than its OFDM realization. The BPSK signal was transmitted at 915.1 MHz in 
order to simulate cellular frequency propagation characteristics while still operating in an 
unlicensed band. The sample rate of the N210 was set to the maximum allowable rate, 25 
MSps. This sample rate maximized the final resolution of the scheme to 1/25 MSps = 40 
ns which translates to roughly 12 m. 

The field test site is shown in Figure 8.8. Due to its the location, there was only one available 

"^*See Appendix I for the python code used to synchronize the TX/RX chains and generate the transmitted 
signal. 
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serving eNB. This eNB is shown in Figure 8.8 (not to scale) three quarters of a ki lometer 
south of the test site. The sensor remained stationary throughout the experiment and the 
target was moved to each of three locations: A, B, and C. At each location the sensor 
measured the UE-sensor distance as outlined above 100 times and received TAs from the 
serving eNB. Measurements were validated by ensuring the value of the correlation peak 
resulting from the matched filter was sufficiently high. Only one measurement taken at site 
A was a statistical outlier and discarded. 101, 74, and 80 TAs were collected at sites A, B, 
and C respectively after statistical outliers were discarded. The operating bands used while 
these TAs were issued were 700 MHz and 2000 MHz. As previously mentioned, the eNB 
bias was assumed a priori and taken into account when estimating d\. The distribution of 
the TA and CeSAR measurements are presented in box plots in Figure 8.9. 

We note that this particular experimental setup, by the nature of physical constraints (e.g., the 
available serving eNBs and the length of the coaxial cable), is an example of a pathological 
geometry (cf. Chapter 6). In these experiments ctta « 68 m for TA data and crgen « 23 m 
for sensor data. Therefore, assuming worst case cr, the test sites should be at least Sctta 
off the symmetry directrix described by the sensor and eNB to prevent measurement bias, 
however, the length of the coaxial cable would not allow this, thus forcing pathology (i.e., 
bias) in the setup. The bias was manifested here due to the circles representing distance 
estimates not intersecting (cf. Chapter 6). This resulted in a preponderance of the estimates 
lying on the directrix. Thus, because the geometry is pathological it cannot be compared to 
the lower bound previously derived. 

8.2.2 Empirical CeSAR Results 

The measurements were used offline to calculate the position estimate and the results are 
presented in Figure 8.10. Because only two anchor points are used during the calculation 
(i.e., the sensor and the eNB), the system of equations represented by d is underdetermined. 
Additionally, the proximity of the sites to the sensor makes the geometry pathological as 
described in Section 6.3, thus the estimate is found with the residual error method (cf. 
(7.8)). The results, in terms of CEP 70%, were 53.6 m, 77.3 m, and 57.8 m for locations 
A, B, and C respectively. The mean values were 60.7 m, 74.3 m, and 61.6 m for sites A, B, 
and C respectively. The curves show that the vast majority of the errors are small, however, 
a significant tail is also observed indicating infrequent, but large errors. Regardless, a 
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(a) CeSAR 

Figure 8.9. Box plots of empirical 


(b)TA 

CeSAR validation measurements 


level of aeeuraey whieh may be able to meet the FCC’s E-911 mandate is demonstrated. 
Considering that in this experiment d is underdetermined (two equations), CeSAR presents 
as a viable option to satisfying federal standards"*^. 


8.3 Efficiency in Timing Advanced-Based Positioning 

An estimator is said to be effieient if it asymptotieally attains the CRLB [48]. In other 
words, an effieient estimator will be able to attain the CRLB with an infinite number of 
eorrupted observations. In this seetion, we show that TA-based loeation estimation ean be 
effieient and demonstrate the maximum aehievable bounds for this type of positioning with 
synthetie and real-world TA data. Note that sinee, for LTE, r « 1.5cr Sheppard’s eorreetion 
is used when ealeulating the CRLB"*3. 

8.3.1 The Effect of N and the NLoS Channel 

In the first study, we position notional eNBs on a sealed eirele eentered around the target 
UE as in Eigure 8.11. Sinee the positioning aeouraey is dependent only on the angular 
geometry and not the target-eNB distanee (ef. (6.5)), the radius of the eirele is some 

FCC’s E-911 mandate requires that Pr[|| po - p ll< 100m] = 0.67 and Pr[|| po - p ll< 300m] = 
0.95 [4], [5]. 

"‘^Refer to the discussion of Theorem 1 in Chapter 6 for more information on the necessity of this when 
showing the efficiency of an estimator using quantized observations of a RV. 
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Figure 8.10. CDF of positioning with empirical CeSAR measurements 

arbitrary distance r. Each eNB has a fixed angular separation of 2nl(Nmax + 1) from 
the next as in Figure 8.11. The study is repeated for a different N e {3,9} such that the 
angular separation 6 = In/{Nmax + 1) is held constant and the number of eNBs N is varied 
up to Nmax = 9. When positioning is augmented with CeSAR, the sensor is placed at 
6 = -n(Nmax - N) I (Nmax “ 1) • Hcuristically, the CeSAR angle can be seen as being placed 
n radians from the center of the total angle subtending all eNBs. In order to show the effect 
of an NLoS channel, each eNB is optionally contaminated with NLoS error. The overall 
ratio of eNBs contaminated by NLoS error is given by ^ (the notation indicates CeSAR 
is used). Here, NLoS error is modeled as 6(d - ju) in accordance with the channel model 
presented in Chapter 2 [7], [27], [30]. For these simulations Hi = jx = 50 m, Vf. The results 
of Monte Carlo trials with each N, with and without CeSAR, and for different are shown 
in Figure 8.12. In this case, position estimates are calculated with the AMLE presented in 
(7.11) and (7.12). 

The left pane of Figure 8.12 first demonstrates the efficiency of the AMLE due to its 
congruence with the CRLB"^"^. We also see that for these geometries, RMSE accuracies 
from «70 m to «35 m are possible. It is evident that, at first, increasing N reali z es 
significant gains which become less significant as N becomes large relative to Nmin- As ^ is 

**The CRLB here and in the subsequent study have been adjusted using Sheppard’s correction for quantized 
RVS such that = ^latent + 
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Figure 8.11. The experimental setup for real-world TA data 

increased, as expected, performance decreases and the channel model prevents an unbiased 
estimate; hence, the CRLB is not attained. However, it is notable that even in heavy NLoS 
environments = 2/3) RMSE accuracies of «95 m to «50 m are possible. 

The right pane of Figure 8.12 shows the performance as RMSE with and without CeSAR 
augmentation for two levels of NEoS contamination /). In both cases CeSAR provides 
modest gains of approximately 5 m. When NEoS contamination is increased to ^ = 1/3, 
performance decreases overall by 10 to 20 m and the relative performance increase of 
CeSAR remains constant. For both cases of /f, the modest increase in performance is 
explained by the minimal effect of change on the angular geometry when the CeSAR sensor 
is included. Because the sensor is placed roughly parallel to the mid-line axis of the eNBs, 
CeSAR has a limited contribution (cf. (6.5)). We will show in the next experiment how the 
sensor can be placed in order to maximize its effect. 

Finally, note that in both panes the magnitude of location accuracy demonstrated is well 
under that of t. To understand this, first consider the case when N = I and when the 
eNB can perfectly determine the UE distance. Here, the error in the distance estimate is 
minimized when p is chosen at the middle of the TA annulus such that the error is uniform, 
< 1 ^ ~ [-t/2, t/2]. From this it can be shown that the associated mean error is « 19 m 
and the associated RMSE is « 22 m. Thus, the demonstrated accuracy is well above the 
minimum distance estimation accuracy. However, we also note that, assuming no restriction 
on Amax, it is conceivable to obtain RMSE accuracy lower that 22 m when GDoP < 1 (cf. 
Chapter 6). 
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(a) (b) 

Figure 8.12. The performance of the TA-based MLE in various levels of NLoS 
contamination ^ with optional CeSAR augmentation Source: [74]. 

8.3.2 The Effect of Infrastructure Geometry 

We now change the experimental setup to that shown in Figure 8.13 in order to examine the 
efficiency of the AMLE with real-world TA data and to highlight the capacity of CeSAR to 
negate poor GDoP effects. In all studies, there are N = 3 eNBs arranged on a circle centered 
on the UE of some radius r. The eNBs all share an angular separation of 6. When the 
CeSAR sensor is used, it is positioned at 0 = 3nlA also on the same circle with radius r. Eor 
each scenario a different angular separation between the eNBs 6 6 {tt/IO, 3;r/20, njS, nIA} 
is used. Note that 6 starts off small such that the eNBs are tightly clustered and share a 
similar angle to the UE. At 0niax = n/A the third and first eNB are separated by 26 = n/I 
and the eNBs are more dispersed than at 6mm = tt/IO. Because in an actual ETE network 
deployment the number of serving eNBs and cr do not vary significantly, here we show 
positioning accuracy as a function of infrastructure geometry by iterating through the various 
values of 6. This experiment is conducted with both synthetic and real-world data. Eor 
synthetic TA data, in line with field measurements presented in Chapter 4 [21], the observed 
cr « 50 meters for all serving eNBs. Also in accordance with Chapter 7, the latent data 
are quantized by r = 78.125 meters before producing a distance estimate via (7.11). When 
the real-world data are augmented with CeSAR, the CeSAR error used is the same that was 
generated during the Empirical CeSAR validation presented in Section 8.2. Additionally, 
the same AMEE as was used in the previous experiment is also used here. 


93 





UE 


Figure 8.13. The experimental setup for all real-world TA data. Source: [29]. 

The results of these studies, with and without CeSAR augmentation, are presented in Fig¬ 
ure 8.14 alongside the theoretical lower bound derived in Chapter 7 for each 6. Additionally, 
for each 6, real-world and synthetic data are used. First, we observe close agreement with 
the results and the theoretical lower bound for both synthetic and real-world data further 
validating the analysis and the efficiency associated with the AMLE. Second, we see close 
agreement between the simulated data and real-world data. This agreement validates as¬ 
sumptions we have made regarding the nature of the data in general which follow from the 
theory of quantized random variables. 

Note the trend of localization accuracy. When 6 is small and CeSAR is not used to 
augment the position estimate, the RMSE is relatively high. However, as 6 increases to 
its maximum value, the RMSE decreases. This agrees with the trend expected given in 
(6.5). Thus, the existing network geometry is seen as a strong influence on the positioning 
performance. In this study, the accuracy varies on the order of 50 meters depending on 
the infrastructure layout. However, when the CeSAR sensor is included and strategically 
placed, the dependence of localization accuracy on network geometry can be essentially 
negated. This illustrates one of the main strengths of CeSAR enumerated in Section 8.2 
in mitigating the effects of poor network geometry. The strategy used to maximize the 
geometric effect of CeSAR is to place the sensor as orthogonal to the remaining eNB angles 
as possible. Einally, we demonstrate with real and synthetic data that RMSE accuracies on 
the order of 40 meters are possible which agrees with previous studies. 

Through the two studies presented here, we have shown the AMEE to be efficient relative 
to the CREB. We have also demonstrated theoretical accuracies on the order of tens of 
meters, shown how accuracy is affected in NEoS scenarios, for various N, and demon- 
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Figure 8.14. The results of the numerical studies for constant N in terms 
of RMSE are presented in this figure. Results realized from simulated and 
real-world error data are presented. Source: [29]. 


strated CeSAR’s resilience in network infrastructure where geometry negatively affects 
precision. 


"^^This section has been revised from [29]. 


95 








THIS PAGE INTENTIONALLY LEET BLANK 


96 



CHAPTER 9: 
Conclusion 


In this work, we have evaluated the TA parameter as a means to position estimation in cellular 
networks. This investigation has shed light on the TA both as a security vulnerability and 
under-leveraged network parameter alike. Additionally, we showed how more information 
can be extracted from the TA in order to provide a refined estimate through the CeSAR 
method. 

The investigation was conducted through protocol analysis, statistical analysis, simulation, 
and field experimentation. The method of evaluation began with protocol analysis where it 
was found that TA-based geolocation and a method of refinement, via CeSAR, was possible. 
Next, the position estimate as gleaned from the TA was statistically analyzed in order to de¬ 
termine the feasibility, in the sense of accuracy, of the method. Significant statistical findings 
led to simulations under various scenarios of interest such as legacy network deployments, 
handover scenarios, and heterogeneous network deployments. Next, field experimentation 
was conducted in real-world network deployments. These experimentation results uncov¬ 
ered parameters associated with real-world TA issuance such as error distribution shape and 
statistics. These real-world errors were used in simulations to demonstrate the statistical 
efficiency of TA-based positioning and further investigate performance. Finally, CeSAR 
was also investigated in a real-world wireless channel in an SDR testbed. 

9.1 Significant Contributions 

The results of this work have made several notable contributions. Specifically, those 
contributions include protocol analysis leading to the CeSAR refinement method, framing 
the TA as a quantized random variable to derive a MLE and corresponding lower bound on 
positioning error, and extensive experimentation, which included field data, that validated 
analytical results. 
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9.1.1 Cellular Synchronization Assisted Refinement 

The contribution of the CeSAR method was realized from an in-depth analysis of the LTE 
protocol. In this analysis, it was discovered how the TA value could also be passively 
leveraged to find the UE distance from a local sensor. When combined with the traditional 
eNB-UE distance, which is more explicit in a TA, this information added a crucial dimension 
to the system of equations otherwise typically used in TA-based positioning. The protocol 
was also used to show that the observation needed in CeSAR was feasible without the need 
to bypass encryption making the contribution of CeSAR even more potent. A corollary of 
CeSAR was that the reconfigurable nature of the method also allowed the user to mitigate 
problems associated with GDoR 

CeSAR was framed as both a security vulnerability and a network performance multiplier. 
Erom the perspective of a security vulnerability, the CeSAR operator would be a third party 
extra-network operator. It was shown how this operator could locate a target reasonably 
accurately with a low chance of detection since the method is entirely passive. Conversely, 
from a network perspective, the method was shown to be a performance multiplier since, 
in contrast to current positioning protocols (cf. EPP), it is passive and does not introduce 
additional network traffic in developing a position estimate. 

9.1.2 Statistical Analysis of the Timing Advance 

The analysis of the TA first began in the ETE protocol where TA behavior such as uncertainty, 
issuance frequency, and reasons for issuance were investigated. Once the TA was found as a 
tenable means for positioning, it was next analyzed statistically by casting it as a quantized 
RV. This was the impetus for several important ideas. 

Eirst, it was shown in Theorem 1, that regardless of the target position within a TA annulus 
if/, the latent normal error distribution could be used to model the associated error. This 
is significant since the exact observed error distribution is discrete, making further useful 
analysis untenable. However, due to the result of Theorem 1, an exact MEE for TA-based 
positioning was shown to be equivalent to the MEE for normally distributed error. A direct 
and significant consequence of the MEE, which was expressible in closed form, was a lower 
bound on the RMSE of the TA-based position estimate. 

While the MEE was significant, we noted that it was dependent on information not likely 
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known a priori and levied a heavy eomputational burden to evaluate. Therefore, an AMLE 
was developed to demonstrate effieieney in TA-based positioning. The effieieney was shown 
with both simulated and real-world TA data. Demonstrable effieieney then allowed us to 
use the lower bound to prediet asymptotie behavior of TA-based MLE positioning. 

Also, notable was the eomparison of the statisties of the TA in GSM versus ETE. We showed 
that, under eertain assumptions. Theorem 1 did not apply to the TA in GSM whereas it 
does in ETE. This was signifieant beeause it shows that the tighter alignment required in 
ETE ultimately also steered the protoeol around a statistieal eorner where not only is better 
aeeuraey possible, but the aeeuraey will be eonsistent regardless of the UE position within 
the TA annulus. In eontrast, this eonsisteney eannot be expeeted in GSM and the aeeuraey 
of the position estimate will show strong dependenee on the annular offset. 

9.1.3 Field Experimentation 

The first goal of field experimentation was to understand how the TA behaves in the wild 
in order to develop a better TA model in simulation. To this end, TAs were eolleeted in 
four eities spanning the east and west eoasts of the United States. TAs were observed in 
real-world network deployments in Baltimore, MD, Annapolis, MD, San Diego, CA, and 
Monterey, CA. The TAs were observed in environments spanning suburban to dense urban 
environments, aeross several bands, and for stationary and moving UEs. This allowed us to 
validate in situ that the ETE TA was issued frequently enough for a positioning applieation 
and that the assoeiated error statisties afforded an aeeurate estimate. Observation of error 
statisties allowed us to build a realistie ETE TA error model suitable for use in simulation 
that takes into aecount channel type. We were also able to validate with field data the 
analytically derived Gaussian equivalency. 

As stated in Chapter 2, most previous TA-based studies in the literature made two critical 
assumptions about TA behavior: that the additional error introduced by the TA was uniform 
and that error was independent of the UE location within the TA annulus. Those studies 
that did use real-world TAs were not focused on evaluating the TA per se. Our extensive 
field experimentation validated the assumption of the uniformity of the error, however, we 
also showed that the model is better served as normal since the error associated with the 
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eNB’s estimate of the UE distance is dominant relative to the annular rounding in LTE"^^. 
Eurthermore, we validated the second assumption of the independence of the error model 
with the UE annular offset if/ both through analysis and field experimentation. 

Einally, our field experimentation with CeSAR in conjunction with real-world TA values 
lent validity to the simulated results and showed that an efficient position estimate could be 
made when CeSAR was leveraged to improve the position estimate. Also notable is that 
we demonstrated the achievable performance inside a real-world ETE network deployment 
with entirely empirical data. 

9.2 Future Work 

This work presented contributions which, when extended, offer the opportunity for further 
exploration. Specifically, we suggest extension of this work in four areas: three dimensional 
positioning, uplink observation modeling, heterogeneous network observation, baseband 
processor performance evaluation, and studying the use of the C-RNTI to best anonymize 
transmissions. 

9.2.1 Positioning in 

Here we propose further work which seeks to provide a position estimate in three dimensions. 
In dense urban environments the UE is not always at ground level due to mobility in 
skyscrapers, high rises, and other urban clutter. Thus, a TA-based position estimate in R.^ 
may result in significant error for a UE which is located high above ground level. 

Including a CeSAR sensor, particularly at the base of a structure in which a UE may 
be located, could have two potential benefits which are similar to advantages of CeSAR 
explored in in this work. Eirst, and most obvious, is that adding an extra dimension to 
the position estimate will always improve accuracy (assuming the error associated with that 
measurement is at least as good as the measurements currently defining the existing system 
of equations). Second, if a UE is suspected to be in a particular tall structure, placing 
the CeSAR sensor at the bottom of the structure realizes an approximately orthogonal 

"^®This is another intuitive but more general way of stating the necessary conditions for Theorem 1 and QT2 
to apply. 
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measurement relative to the UE-infrastructure geometry. As seen in this work, this will 
minimize the effects associated with GDoP. 

9.2.2 Uplink Frame Observation Modeling 

In this work, uplink frame observation was done with a BPSK PN sequence and a matched 
filter. In a realistic application, the uplink burst will be transmitted after further being 
OFDM modulated. OFDM transmissions will be more robust in a fading channel and thus 
have the potential to improve the performance of CeSAR augmentation. Furthermore, the 
PN sequence used was optimized to improve correlation performance via a FFSR. Real- 
world FTE frames will not necessarily have these favorable correlation characteristics, thus 
the resulting correlation will not be as exact. 

Specifically, the theory associated with developing an optimal detector of the UE frame 
(e.g., the Neyman-Pearson detector) would significantly complement the CeSAR method 
and provide further insight into expected real-world performance. Of particular interest 
would be leveraging the cyclic prefix and regular signals with specific periodic transmissions 
such as UE-generated pilot tones to improve detection. 

9.2.3 Heterogeneous Network Ecology 

At the time of this writing the author is not aware of any fully deployed heterogeneous 
network in the United States. Therefore, in this work, performance in the presence of phys¬ 
ically disparate carrier aggregation was evaluated either entirely in simulation or empirical 
data were collected from individual eNBs online then combined offline in post processing 
to mimic a heterogeneous network deployment. 

In the near future it is likely that FTE release 11 characteristics will begin to make an 
entrance in the currently deployed architecture. Studying the behavior of the TA in a real- 
world heterogeneous implementation would be invaluable. In particular, of interest would 
be the statistics of TA error associated with SCells, whether those statistics are similar 
to the PCell statistics, and the use of these errors in case studies to validate performance 
characteristics. 
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9.2.4 Effect of the Baseband Processor 

In this study TAs were issued to and observed by two different test phones both operating 
with the Qualcomm Snapdragon chipset. A comprehensive statistical study of the TA in 
conjunction with different chipset vendors and versions would be of interest. Among general 
chipsets available on the market, the Samsung Exynos and Qualcomm Snapdragon are the 
most pervasive and would provide a starting point in terms of the survey. Within these 
two chipsets evaluating different versions would also be of interest. Ultimately, building an 
understanding of how TA-based positioning varies with chipset would be valuable. 

9.2.5 Vulnerability in the LTE Software Address Space 

The LTE software address space was presented in this work as a weak component of a LPPM. 
To this end it serves to anonymize transmissions sent to a specific UE as the C-RNTI stands 
in as a software address in place of the permanent address (IMSI) assigned to the UE. 
Evaluating the ability to link a specific user to a C-RNTI would be of particular interest. 
Methods that could be leveraged may include C-RNTI chaining and deanonymization 
attacks. 

C-RNTI chaining is a method of UE attribution to a C-RNTI that follows that user through 
initial network negotiation. By observing the initial C-RNTI issuance and then following 
the user as different C-RNTIs are issued, a valid UE to C-RNTI mapping can theoretically 
be maintained. As discussed in Chapter 2, several methods have proven effective at linking 
anonymous data to specific users. Evaluating their efficacy in the LTE software address 
space would be of interest both in simulation and in real-world network deployments. By 
evaluating the inherent vulnerability in the C-RNTI anonymization schema, recommenda¬ 
tions to improve the method in the context of optimal C-RNTI lease time and initial C-RNTI 
issuance. 
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APPENDIX A: 

Histograms Representing the Error Associated with 
TA-Based Distance Estimation 



0 I- ^-1 

-250 -95.33 -17.21 60.92 139.04 350 

Distance Error (m) 



-250 -8.57 69.55 147.68 225.8 303.93 

Distance Error (m) 


(a) LoS 


(b) NLoS 


Figure A.l. Location A error histograms are presented in this figure. Loca¬ 
tion A is characterized as a dense urban environment. Adapted from [21]. 
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Figure A.2. Location B error histograms are presented in this figure. Loca¬ 
tion B is characterized as a dense urban environment. Adapted from [21]. 
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Figure A.3. Location C error histograms are presented in this figure. Loca¬ 
tion B is characterized as a dense urban environment. Adapted from [21]. 
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Figure A.4. Location D error histograms are presented in this figure. Loca¬ 
tion D is characterized as a suburban environment. Adapted from [21]. 
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APPENDIX B: 

Proof of the Lower Bound for an Unbiased Estimator 


In this section, we provide the proof of the relationship described by (6.2) and (6.1). The 
derivation is adapted from [75]. 

Definition Al: An admissible estimate is the estimation of a parameter on which obser¬ 
vations of a RV depend such that the support of the RV density does not depend on the 
parameter to be estimated. 

Theorem Al: Suppose X = {Ai, X 2 ,..., A^} are a set of observations of the RV x which 
is parameterized by A and d(A) is an unbiased estimator of A. Then 


e|(T(A)-T)"|>-E 


logp(A|d) 

dA^ 


if A(X) constitutes an admissible estimate. 

Proof: By definition A(X) is an unbiased estimator so the expected value of the estimate is 
given by 

I A{X)p{X\A)dx = A (B.2) 

J a 

where the limits of the definite integral [a, b] span the support of p(A|/l). Next taking the 
derivative of both sides w.r.t. A 


A(X)p(X\A)dx = 1 


and from Eeibniz’s rule 


dh d 

J —A{X)p{X\A)dx + —A{b)m^) - -^A{a)p{a\A) = 1 (B.4) 
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but, by Definition 1, the latter two summands evaluate to zero since 


Therefore, we have 


/ 


da 

db 

Ja 


d 


= 0 


0 . 


A{X)—MX\A)dx = \ 
dA 


where we have dropped the limits of the integral for convenience. 
Lemma Al: For an admissible estimate of the parameter A 

d f f d 

— / pix\A)dx= / —pix\A)dx = 0. 

Proof: It follows from Definition 1 and Leibniz’s rule that 


d [ f d 


p(x\A)dx. 


We can then show that 


— j p{x\A)dx = —\=Q 


dA J -- dA 

which follows from the definition of a probability density. □ 

Continuing with the proof of the theorem, we can then let 

j A(X)-^p(X\A)dx - j A-^p(X\A)dx = j (A(X)-A) -^p(X\A)dx 


and 


J (fiW-d) 


1 d 
piXlA)^! 


(p(X|T))p(X|T)J;c = 1. 


Now substituting the relationship 

d 




(B.5) 

(B.6) 

(B.7) 

(B.8) 

(B.9) 

1 (B.IO) 

(B.ll) 

(B.12) 
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we have that 


J (A(X) - ^ (logp(X|i)) p(X\A)dx = 1. 

Using the definition of expeetation the relationship beeomes 


(B.13) 


d 


E^(d(X)-fi) —(logp(XU))[ = l. 


The Cauehy-Sehwarz inequality"^’ then gives 


E{(d(X)-fi)"}E||^logp(XU)l }> 


(B.14) 


o 

E^(d(X)-T) —(logp(XU)) 


dA 


d 


E](d(X)-d) [e] —logp(XIT)) [>1. 


E|(T(X)-d)"}>E||^logp(X|d)j I 


Lemma A2: For an admissible estimate of the parameter A 


E^l —logp(X|d)J =-e|— logp(XU)^. 


Proof: Erom the property of a probability density we have 

J piX\A)dx = 1. 

Now differentiating both sides of the relationship 

^ j p{X\A)dx = Q. 

Again, invoking Definition 1 and Eeibniz’s rule the relationship beeomes 

d f r d 

— I p{X\A)dx = I —p{X\A)dx = 0. 


47E{t/2}E{y2} > |E{t/y}|2 [48]. 


= 1 

(B.15) 

(B.16) 

(B.17) 


(B.18) 


(B.19) 


(B.20) 


(B.21) 
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We now use the relationship (B.12) to write 


fd\ogp(X\A) ^ 

/ -- p(X\A)dx = 0 (B.22) 

and again differentiate both sides of the equation to realize 

d /'siogporii) f d Idiogp(xiA) 

al j —al—= / —al— p(xu)|</x = o (b.23) 

which is again possible from Definition 1 and Leibniz’s rule. The chain rule then gives 
fdHogp(X\A) , /■51ogp(XU)5p(XU)^ ^ 

j —j —ai -= “■ 


The relationship in (B.12) is the substituted into the second summand to realize 

fdHogp(X\A) , /■51ogp(X|d)51ogp(X|T) ^ 

/ -- p(X\A)dx+ / - — - — -p(X|T)J.r = 0 (B.25) 


/ A j - o 

I pixuu. - - j 


(B.26) 

(B.27) 

(B.28) 


To finish the proof of the theorem we use the result of Lemma A2 in (B.17) to arrive at 


E|(d(X)-d)"|>-E 


'52iogp(xi/i)r 


dA^ 


7 


(B.29) 
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APPENDIX C: 

Proof of the Maximum Likelihood Estimate and the 
Cramer-Rao Lower Bound for Source Localization 
with Normally Corrupted Measurements 

Theorem A2: The maximum likelihood estimate (MLE)for source localization with nor¬ 
mally corrupted measurements is given by 

N ^ 

Z jdi - di)(xo - Xj) _ ^ 
di 

V . (C.l) 

E (di - di)iyo- Di) _ ^ 

di 

l = i 

when cTi = cr, V/ and the source position is po = [^o> doY■ 

Proof: Since the measurements d are corrupted by Gaussian noise we can define the joint 
error distribution as 


p(d\d) = n ^ 

if ^(Ti 


e . 


The resulting log-likelihood function is given by 


logp(rflrf) = ^ -log(V^a-/) -t 


-{di - diY 


When we let cr,- = cr, V/ the log-likelihood function is simplified to 


\ogp{d\d) = AC -r ^ 


-{dj - diY 
2cr2 


where C = - log(V^cr) is a constant. The MLE p will then be the location p = {x, yY 
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that maximizes logp(</|</) such that 


p = argmaxlogp(rf|rf). (C.5) 

p 

The maxima of (C.5) can then be found by setting the first derivative equal to zero and 
solving for p. 


Lemma A3: The partial derivative of the distance, d, with respect to p is 

d ix-Xi) 

—dj =- 

dx di 

and 

—d- = ~ 

dy ^ di 

Proof: Let 

di =11 p-p,- II 

= vj{x- Xi)^ + (i/ - yi)^ 

then by the chain rule 

__ 2(x - Xj) _ 

2^|(x - xi)^ + (y - yt)^ 

_ (X - Xj) 
di 


(C.6) 


(C.7) 


(C.8) 


(C.9) 


The partial derivative with respect to y follows from the same methodology. □ 


Now, continuing with the proof of Theorem A2, consider the partial derivative of (C.4) 
with respect to v: 


N 


— logp(rflrf) = ^ 


d -{di - diY 


dx 

N 

E 

i=\ 


i=\ 

2(di - di) d 


2cr2 dx 


dx 2cr2 
di 


(C.IO) 


which follows from the chain rule and from the fact that the derivative of a constant is zero. 
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Then invoking Lemma A3 we have that 


dx 


logp(d\d) = 


Z 


(di - di)(x - Xi) 
(T^di 


(C.ll) 


The first partial derivative with respect to y can be found by analogous means. The 
relationship in (C.ll) can be further simplified when finding the maxima of (C.5) by 
ignoring the constant cr~^ (assuming the condition cr, = cr, VI). ■ 


Theorem A3: The Cramer-Rao Lower Bound for unbiased position estimation is given by 


CRLB = ^tr(I-i) 


(C.12) 


and 


where 


!{*;/} = 


-E 


d^logp(d\d) \ 

dV{i}dV{j} J 


yN ix-Xjf yN ix-xi)(y-yi) 

L‘i=l cr^ip Lii=\ cr^ip 

‘ ' ? 

yN (x-Xi)(y-yi) yN iy-yi) 

I I 


(C.13) 


(C.14) 


when the distance measurements, di, are corrupted by Gaussian noise and cr, = cr, Vi. 


Proof: Consider 




-E 



logp(d\d) 


(C.15) 


where p = [x, y]^ so p{i} = v and p{2} = y. The relationship in (C.15) can then be 
expanded to 




-E<j — — logp(rflrf) 
ox ox 


( d 1 (di- di)(x - Xi) 
( dx cr2 ^ di 

\ l = l 


(C.16) 
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which follows from Theorem A2. Now, again evaluating the partial derivative we have 


d 1 'Y ~ di)(x - Xi) 
dx (7-2 ^ di 

l = \ 


1 d (di - di)(x - Xi) 
0-2 ^ gx di 

l = \ 




(C.17) 


which follows from the produet rule. Now substituting back into (C.16) we have 


N 


d 1 (di - di)(x - Xi) \ -1 


N 




EjjL^d, 


i=\ 


di 


i=\ 

N 


d 




0-2 ^ \Qx 

(C.18) 

whieh follows from the following two relationships when the expeetation is taken with 
respeet to the RV d 


dx 


di 


dx 


di 


d^ 


(C.19) 


- di)-^di 1 = 0 . 


The former relationship is clear sinee the expeetation is take over a eonstant relative to d. 
The latter relationship follows from the faet that Ej - J/| = 0 if the estimate is unbiased. 
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Finally, we use the result of Lemma A3 to expand (C. 18) to 



This result can be easily extended by Lemma A3 to show 


‘{ 2 , 2 } 


1 ^ 

1 = 1 


(y - yiY 
S 


(C.20) 


(C.21) 


The off-diagonal elements of I can be found by replacing the second derivative in (C.16) 


with 


1 ( 1 , 2 } 


J_ {dj - di)(x - Xj) 
1 5 ?/ 0 - 2 ^ di 


(C.22) 


Evaluating the partial derivative with respect to y we have 


J_ {dj - di)(x - Xj) 
dyo-^^ di 


N 


d (di - di)(x - Xi) 


—y 

(7-2 ^ Qy 
l=\ 

1 ^ a 

(j-2 ^ Qy 

1 d ^ d ^ 

^ Zj ~ 


di 


(di - di)—di 
dx 


di)^^di 
dy dx 


(C.23) 
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Then, substituting this result into (C.22) we have 



(C.24) 


where the last step follows from the results enumerated in (C.19). Finally, using the results 
of Lemma A3 we have 


1 1 ^ (x- Xi)(y - yi) 

- ^2 Zj j 2 

' 1=1 i 


(C.25) 


Note that the matrix I will be symmetric, therefore, I{i,2} = B 
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APPENDIX D: 

Derivation of the Maximum Likelihood Estimate 
Associated with pm{x) * pu{^) 

In this section, a derivation of the convolution p/^(x) * pu(x) is given. To begin, recall 


1 -(^)^ 9 

Pn(x) = .— e = Af(0,0-2) 

y^cr 


(D.l) 


Pu(x) = -I[-r/2,T/2](-^) 

where I[-t/ 2 ,t/ 2 ](‘) is the indicator function with support 6 [-t/2, t/2]. 
Next, using t as the dummy variable for the convolution we have 

1 1 ^ 

Pn(x) * Pu(x) = - — e 2<x2 dt. 

T Jx-tI 2 ylncr 


Evaluating the integral we have 


1 1 ^ 1 / M 

- / _ e 2 o -2 = - O I — 

7x-t/2 V^O- ' x-rjl 


X - rjl 


where 


X - p 


is the cumulative density of N{p, cr^). 


(D.2) 


(D.3) 


(D.4) 


(D.5) 


Next, to find the maximum-likelihood estimate (MLE) of p/^(x) * pu(x) for positioning 
applications consider 

p = argmax logp(rf|</) (D.6) 

p 
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where 


N 

logp(d\d) = ^logp(di\di). (D.7) 

i=\ 

and d = \_d\, d 2 ,..., d^]^ is the set of aetual distanees to the N eNBs, d = [di, d 2 ,..(InV 
is the set of measured distanees to the N eNBs. The above density given in (D.4) ean be 
reformulated for the positioning problem with non-zero mean as 


P(di\di) = 



di - di - t/2 


(Ti 


-O 


di - di -I- t/2 


(Ti 


(D.8) 


The eorresponding MLE ean then be found as 


d\ogg){d\d) 


dx 

N 


1 / d 

- ^ T-\di) I - di - t/2, (t^)y/^ 
i=l '' 


-N(di - di + T/I, a^)—di 

ox 


d\ogp(d\d) 

dy 

N 


1 / /i 

- y r-Hdi) \N(di - di - t/2, (T^)—di 
T < \ n jj 


r 

1=1 


dy 

-N{di - di + T/I, a^)—di 

dy 


(D.9) 


where we have assumed for simplieity that cr, = cr V/, and 


^!di-di-T/2\ Idi-di + T/l 

T{di) = O I ^^- — 1 - O ' 


cr 


cr 


(D.IO) 
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Then continuing the differentiation and invoking Lemma A3 we have that 


d\og^{d\d) ^ 
dx 

[Nini + di-T!2,cr^) 

! = 1 * 

-N(iii + di + Tjl, cr^) 

d\ogp(d\d) ^ 
dy 

r ^ 

-N(iUi + di + T/2,cr^) 

Setting these gradients to zeros yields the exact MLE p for an 
Pn(x) * Pu(x)- ■ 


(D.ll) 


error characterized by 
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APPENDIX E: 

Proof of the Variance of N' at Extrema of r 


Theorem A4: 


lim varlA/"'} = cr 


where cr^ is the variance of the latent RV. 


Proof: Recall that 




where Pn ’{(p) is the characteristic function (CF) of N' [49]. Therefore, the second moment 
is explicitly given by 




since j ^ = -1. Recall also that 


Pn'{<P) = Inn It). 


Lemma A4: If U is uniform then its CF is given by 


Puif) = sine 


Proof: Note that if [/ ~ \I[-tI 2 ,tI 1 \{x) then 


1 

Puif) = - 

r J-t/2 


\x=-tI2 

1 / -j4’T JJtL 

--— e 2 _ e 2 

JCpT \ 
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2sin(0T/2) 

(pT 

sin(0r/2) 


(pTjl 



(E.7) 


where the last step follows from the definition sinc(^) = sin(;c)/;c and thus implies 
zero crossings at 0 = Ink/T where A: 6 Z. Note also that Pu(0) = 1 which satisfies 
the requirement that f^pu(x)dx = 1. □ 


Lemma A5: If N is normal then its CF is given by 

-((^o-)2 

PM{(p) = e — . (E.8) 


Proof: Note that if Af ~ N{0, cr^) then 

r 1 
PnW = / ^ 

J-co crV 


^2o-^e ^“^^dx 


-L 


1 -F 

e^^ cos{<px)dx 


oo cr 

= e 2 


^^2n 


(E.9) 


The second step of (E.9) follows from 


/ a pa pa pa 

e~^^dx = / cos(x)dx +j sm(x)dx = / 

a J—a J—a J—a 


cos(x)dx 


(E.IO) 


and the last step in (E.9) is given by Abramowitz and Stegun [76]. Note also that 
Pn(0) = 1 which satisfies the requirement that f^p/^(x)dx = 1. □ 


Next, continuing with the proof of Theorem A4, let r ^ 0 so that PjV'if) « A(0) = 
PuiflPuif) (cE Chapter 6). Now to calculate the second moment, by (E.3), Eemmas A4 
and A5, and the product rule, we have 


d(p^ 


Pu(f)PN(f) = —rr sine e 


df 


(f>T\ d 


2 I df 




+ 


A. 

df 


sine 


(pT 

~2 


-{(po-) 


(E.ll) 
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And again we invoke the product rule to find that 




PuWPnW = 


- sine 







^sinc 



e 2 


(E.12) 


Now evaluating individual elements of (E.12) at 0 = 0, we have that 

= 0 


d -( 00 -)^ 

— e 2 
d(f> 


0=0 


d 

—sine — 
dcf) \ 2 / 

-( 0 o -)2 

-e 2 


= 0 


d(fr 

d^ ((pT\ 

—;rSinc — 

d(p^ \ 2 I 


0=0 


0=0 


0=0 


(E.13) 


-cr 


12 


where the first three relationships follow directly and the last follows from the variance of 
a uniform random variable. Using these results (E.12) can be simplified to 




Einally, it is straightforward to verify that 


^2 

Pu((t>)PN(4>) = 


(E.14) 


lim cr + — = cr . 

r ->0 12 


(E.15) 


Note that the assumption that used to arrive at (E.14) was that ~ 2 l( 0 ) which 

requires that r < e where e is some sufficiently small number (cf. Chapter 6 ). ■ 


Theorem A5: 


lim varjAf'} 


= 0 


0=0 


(E.16) 
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Lemma A6: If the annular offset is f = t/I then 

PN'(x) = ^6(x + t/I) + ]^6{x - t/2) (E.20) 

when T —> CO. 

Proof: Let the impulsion train be IIIr(^ - t/2) so that the annular offset is if = t 12 
which is the worst case if in terms of the resulting variance of N' when r ^ oo. The 
resulting shifted version of pw(x) can then be approximated as (E.20) for sufficiently 
large r. 

To see this recall that pM'ip) = o;S(x - nr) and consider summands where n 
0,1. Recall that when the annular offset if 0, then (6.13) can be expressed as 
a„ = Q''[0(nT + t/2 -if)- O/ht - t/2 - if)] when d = 0. Thus, when if = t/2, 

Qn = a'\d){nT) - 0(nT - t)] which is calculated explicitly by 

pnr 

CTn = j PM'(x)dx. (E.21) 

JriT—T 
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Next note that 


pnr p—co 

lim / pi^'{x)dx = / pi^'{x)dx = 0. 

T—foo JVn<0 J -oo 


It then follows from the fact that p/^'(x) is even that 


(E.22) 


pnr pco 

lim / p/^>(x)dx = / pM'{x)dx = 0. 

r—»oo J\/n>\ 


(E.23) 


Conversely, when n 6 {0,1} 


pnr 

lim / 
J„r-r 


pj^/(x)dx\ 


pj^/(x)dx = 


1^=0 J-co 


(E.24) 


pnr pc 

lim / pN>{x)dx = / 

r—»oo 


PN'{x)dx = 


(E.25) 


Next, continuing with the proof of Theorem A5, the resulting Eourier transform of (E.20) is 


Pn’(.<P) 


J 1^^6(x + t/ 2)+ ^6(x-T/2)^e ■’’^"‘dx 


2 2 
= cos(0t/2). 


(E.26) 


Next substituting (E.26) into (E.3) we have 


d^PN'Wl 


---^cos(0t/2) 

dr ^=0 

-^^sin( 0 T/ 2 ) 

d<P 2 

.2 

- cos(^t/2) 


(E.27) 
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Finally, letting r ^ oo we have 


lim - 

T—>00 


d^PN'W 

d(f)^ 


( f >=0 


lim — = oo. 

T—>00 4 


(E.28) 
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APPENDIX F: 

Proof that P;^'{0) = AofO), when t = e 


Theorem A6: If pu(x) is normally distributed with variance cr^ then when t = e 


PN'if) = ^o(^) 


for sufficiently small e. 


Proof: Let f = 0 and consider the definition 


PjV'if) = ^An{<p- Inn It) 


where it was previously shown in Chapter 6 that 


-(4,0 -)^ ( St 

A(0) = e 2 sine la¬ 


under the assumption that pu(x) is normally distributed with variance cr^ and pu(x) is 
uniformly distributed 6 [-t/2, t/ 2]. Each copy of (F.3) represented in the sum (F.2) as 
shifted from the origin by Inn It (observe also that (F.3) is even). 


It is clear that 


, Inn 

lim - = oo. 

r-^O r 


Therefore, all terms in (F.2) where n 0 will be centered at +oo. Now when t = e the 
summand when n = 1 is centered atlnle which « oo for sufficiently small e. 


Lemma A7: 


lim A(0) = 0. 


Proof: Consider the Gaussian multiplicand in (F.3) which is piece-wise monotonic 
about its mean and independent of r. Note that at its extrema 


-( 00 -) 

lim e 2 = lim e 2 =0. 

(p—¥ — CO (f>—¥CO 
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Therefore, from the property that 


lim/ • h = (lim/) • (lim/z) 

\x->z j \x-»z / 


the lemma follows. □ 


(F.7) 


Now for the shifted versions of (F.3) we have that 


-((0-2;rn/g)tr)2 I ((f) - ItTH / e) € 

lim e 2 sine — --- 

y 2 




-(0cr)2 /Se 

lim e 2 sme I — 
0—>00 V 2 


= 0 

ni=0 


(F.8) 


where the equality to zero follows from Lemma A7. Therefore, A„(0) « 0, VA„ where 
n 0 and the contributions in the sum of (F.2) by where n 0 are effectively null. In 
other words 


^An{(p -Inn/e) 

n 


0=0 


• • • 0 + 0 + Ao(0) + 0 + 0 + • • • 


and it can thus be concluded that 


(F.9) 


FyV'WU=o,r=e = Xi^«(0-2;rn/6) = Ao(0) (F.IO) 

n 

when iff = 0. Now let if/ 0 then (F.2) becomes 

PN>m^^0 = - 27rnfT) (F.ll) 

n 

and 

A{(p) = '^2 ^ sine • (F.12) 

Here, (F.9) still applies and so Lemma A7 is still valid for if/ i^O. Now 

n 

so that the theorem holds 'iif/. ■ 
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APPENDIX G: 

Sufficient Condition for Var(Af') > Var(Af) 


Theorem A7: The lower bound on the RMSE for a RV after quantization will always be 
higher than the CRLB ijf 

r<3.4cr. (G.l) 


Proof: It has been previously shown in Appendix E that the minimum value of Var(A/'') 
occurs when there is no annular offset (i.e., IIlr(^ - 0)). Therefore, since this value of f 
results in minimum variance in the quantized RV N' and the variance of N' for all other 
offsets such that f 0 will be equal to or larger than N, this is the only condition which 
needs evaluation. The variance of N' for i/r = 0 is given by 

/ CO 

x^a„S(x - nT)dx 

CO 

CO 

= (nrfan (G.2) 

n=—co 

^ rnT+rjl 

= ^ (nrf / pu(x)dx 

nt^oo JriT-Tll 

where 0(v:) is the cumulative density of x. The first step follows from the definition of 
variance of a zero mean random variable. The second step follows from f(x)6(x - a) = 
f(a)6(x - a) and J 6(x)dx = 1. The third step follows from p/^(x)dx where the 

definite integral is over the interval qn- To see this recall that 


PN'{x) = IIlT-(.r) {pn{x) * pu{x)) 

CO 

= ^ 6(x-nT){pu(x)*pu(x)) 

n=-oo 

CO 

= ^ 6(x - nr) (0(v: + t/ 2) - 0(v: - t/2)) 

n=-oo 

00 

= ^ 6{x - m) (0(nT + r/2) - (b{nT - r/2)) 

n=-oo 


(G.3) 
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OO « 

^ 6(x-nT) / 
Jn 


nr-Vrll 


Pf^{x)dx. 


Therefore, 


nr-Tj! 
nT+rjl 

an = I pj^(x)dx. 
I riT-T 12 


-L 


(G.4) 


(G.5) 


Now, as a first approximation of pj^>(x), assume that r > e so that 


PN'Mi = a-i6(x + r) + ao6(x) + ai6(x - r) 


(G.6) 


where the subscript 1 denotes the indices of a„ considered in the approximation. Applying 
(G.2) to (G.6) we have 


Var(Af')i = (-r)2o + (0)^ (o - O (^)) + (r)^ (l - O 


(G.7) 


= 2t^O 


which leads to 


2t^O ( — 1 < (tA 


Then solving for t we have 


r < 3.4cr. 


(G.8) 

(G.9) 


To begin to quantify the fidelity of the approximation given in (G.6) let it be extended to 
PN'(x )2 = a- 2 d(x + 2r) + a-i6(x + r) + ao6(x) + ai6(x - r) + a 2 S(x - 2r). (G.IO) 


In this case the variance is given by 
Var(Af ')2 = (-2t)2o 


=11 


+ (T)^|<I>(y 


*l5j) + (2r)qi-<.(| 


(G.ll) 


s...i=ll)...d*y.*(=ll 
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Figure G.l. The error associated with using the first-order variance approx¬ 
imation parameterized by r is presented in this figure. Both the resulting 
error and r are normalized by cr. 


Now in order to understand when the first order approximation given in (G.6) is no longer 
valid, consider the difference between the two approximations of variance 

Var (^')2 - Var(A^')i = . (G. 12 ) 

The resulting error between the two approximations of Yar(N') is shown in Figure G.l. By 
inspection, one finds that the initial first-order approximation is appropriate for finding the 
upper bound on r since the error associated with pn'(x)i is negligible. Specifically, the 
error associated with using the first-order approximation at r = 3.4 is 1.1779 x 10“^. One 
may thus conclude that further approximation of the bound is not necessary and that the 
sufficient condition for Var(A/'') > Yar{N) is r < 3.4cr Vi/r. ■ 
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APPENDIX H: 

Link Budget for Empirical CeSAR Validation 


When conducting the empirical CeSAR validation accurate distance estimates were highly 
dependent on the strength of the received signal. This appendix details the solution approach 
taken to ensure the received signal was strong enough to provide a distance estimate. 

Among the challenges associated with the hardware was inter-chain leakage, transmit power 
limitations, and large losses associated with free space transmission and cable propagation. 
The transmit and receive chains had an approximate isolation of 40 dB, therefore, if the 
received signal was not strong enough the leakage signal would dominate and the measure¬ 
ment would be corrupted. The resulting distance estimate would be zero meters since there 
is a negligible propagation delay for the leakage signal. 

Additionally, the USRP transmit and receive gain variables are not well defined and do 
not necessarily translate to dBm^^. Our measurements indicated the USRP gain values 
corresponded to the transmit powers via the relationships shown in Table H.l. The transmit 
power was measured with a spectrum analyzer as the peak power at the transmit frequency 
for a BPSK sequence. 

Table H.l. Correlation between USRP gain values and actual transmit pow¬ 
ers 


USRP Gain Value 

Transmit Power (dBm) 

0 

-10 

20 

9.65 

26 

15.41 

30 

18.32 

40 

18.64 


In order to determine the link budget associated with the experiment in Chapter 8, we now 
enumerate the losses associated with the system used which is shown in Figure H.l. First, 
the loss associated with the coaxial cable was given by the manufacturer as -12.6 dB/100 m. 
For the 150 m length of cable used in this experiment the total loss is theoretically 18.9 dB 

other words, a transmit gain of 20 + 20 dBm. 
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Figure H.l. The link budget of the CeSAR validation experiment 


and was measured at « 20 dB. 


The loss associated with wireless transmission L can be calculated as 


L = lOylog 



(H.l) 


where y is the path loss exponent, d is the distance of the wireless channel, and A is the 
wavelength. When transmitting at 915.1 MHz for a 100 m wireless channel this results in a 
path loss of ~12 dB to «143 dB assuming a path loss exponent of 2 and 4 respectively. 

The overall system loss was overcome with a medium power amplifier on the transmit 
antenna and a low noise amplifier on the receive antenna. The signal is first attenuated by 
the cable assembly, then amplified by the medium power amplifier before it is broadcast at 
the transmit antenna. Assuming the USRP transmits at 15 dBm (cf. Table H.l) this means 
the transmit power before the Tx antenna is 25 dBm. Standard dipole antennas (3 dBi) 
were used for transmission and reception. The signal then experiences path loss from the 
wireless channel before it is amplified by the 40 dB low noise amplifier. The overall system 
loss including amplifier gains is -16 dB to -87 dB for a y of 2 to 4 respectively. 

The length of the PN sequence was also leveraged to increase the processing gain. In our 
case, a 12th order LFSR was used which corresponds to 4095 bits or « 36 dB of processing 
gain. 

Assuming the USRP does transmit at 15 dBm then the received signal power, before it is 
amplified by internal USRP amplifiers is anywhere from -1 dBm to -72 dBm. Finally, after 
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amplification from internal power amplifiers, the resulting correlation peak is then amplified 
in processing by 36 dB. Due to the potential for received signals to have very low power, the 
magnitude of the correlation peak is used to validate the reception of a sufficiently strong 
signal. If the correlation peak is significantly larger than the correlation noise floor a valid 
distance measurement is recorded. 
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APPENDIX I: 

GNU Radio Code for Generating a BPSK PN 
Sequence and Synchronizing USRP Tx/Rx Chains 

#!/usr/bin/env python2 

# coding: utf-8 

################################################## 

# GNU Radio Python Flow Graph 
################################################## 

from gnuradio import blocks 
from gnuradio import digital 
from gnuradio import eng_notation 
from gnuradio import gr 
from gnuradio import uhd 

from gnuradio.eng_option import eng_option 

from gnuradio. filter import firdes 

from optparse import OptionParser 

import time 

import numpy as np 

import matplotlib.pyplot as pit 

import os 


class gnuradioflowCgr.top_block): 
def _init_(self): 

gr.top_block._init_(self, "Gnuradioflow") 

################################################## 
# Variables 

################################################## 
self.samp_rate = samp_rate = 25e6 
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self.constellation = constellation = 

digital.constellation_calcdist(([-1, 1]), ([0, 1]), 4, l).baseO 
self.center_freq = center_freq = 915.Ie6 

################################################## 

# Blocks 

################################################## 
self.usrp_source = uhd.usrp_source( 

, .joinCC , )), 

uhd.streara_args( 
cpu_format="fc32" , 
channels=rangeCl) , 

), 

) 

self.usrp_source.set_samp_rateCsamp_rate) 
self.usrp_source.set_center_freq(center_freq, ®) 
self.usrp_source.set_gainC20, Q) #Receive chain amplifier gain 
self.usrp_source. set_antenna("RX2" , Q) 
self.usrp_source.set_bandwidthCsamp_rate, 0) 
self.usrp_sink = uhd.usrp_sinkC 
, .joinCC , )), 

uhd.stream_argsC 
cpu_format="fc32" , 
channels=rangeCl) , 

), 

) 

self.usrp_sink.set_samp_rate(samp_rate) 

self.usrp_sink.set_center_freqCcenter_freq, 0) 

self.usrp_sink.set_gain(26, 0) #Transmit chain amplifier gain 

self.usrp_sink. set_antenna("TX/RX" , 0) 

self.usrp_sink.set_bandwidth(samp_rate, ®) 

################################################## 

# Approximate measured gains for URSP gain value 

# - Measured as peak value of BPSK signal 
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################################################## 

# USRP Gain Value Actual Gain 

# 


# 

® 

-l®dBm 

# 

2® 

9.65 dBm 

# 

26 

15.41 dBm 

# 

3® 

18.32 dBm 

# 

4® 

18.64 dBm 


################################################## 

############################################################## 

# Synchronize Tx/Rx Chains (starts chains IQQms in the future) 
############################################################## 
start_time=self .usrp_sink.get_time_nowO .get_real_secsO + . 1 
self.usrp_sink.set_start_time(uhd.time_spec(start_time)) 
self.usrp_source.set_start_time(uhd.time_spec(start_time)) 

self.digital_glfsr_source_x_0 = digital.glfsr_source_b(12, False, 
Q, 1) #sets GLFSR order to 12 

self.digital_constellation_modulator_Q = digital.generic_mod( 
constellation=constellation, 
differential=True, 
samples_per_symbol=2, 
pre_diff_code=True, 
excess_bw=®.35, 
verbose=False, 
log^False, 

) 

self.blocks_raultiply_const_vxx_0 = blocks.multiply_const_vcc((®.5, 
)) #prevents overloading amplifiers during Tx 

self.blocks_head_® = blocks.headCgr.sizeof_gr_complex*l, 

int(samp_rate/l®®®)) #sets number of samples of the rxwave to 
save 

self.blocks_file_sink_l = blocks.file_sink(gr.sizeof_gr_complex*l, 
"/home/USER/Desktop/rxwave" , False) #location to save rxwave 
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self.blocks_file_sink_l.set_unbuffered(False) 

self.blocks_file_sink_Q = blocks.file_sink(gr.sizeof_gr_complex*l, 
"/home/USER/Desktop/txwave" , False) #location to save txwave 
self.blocks_file_sink_Q.set_unbuffered(False) 

################################################## 

# Connections 

################################################## 

self.connectCCself.blocks_head_0, 0), (self.blocks_file_sink_l, 0)) 

self.connectCCself.blocks_multiply_const_vxx_0, ®), 

(self.usrp_sink, ©)) 

self.connect((self.digital_constellation_modulator_Q, Q), 

(self.blocks_file_sink_Q, ®)) 
self.connect((self.digital_constellation_modulator_®, ®), 

(self.blocks_multiply_const_vxx_®, ®)) 
self.connect((self.digital_glfsr_source_x_®, ®), 

(self.digital_constellation_modulator_®, ®)) 
self.connect((self.usrp_source, ®), (self.blocks_head_®, ®)) 

def get_samp_rate(self): 
return self.samp_rate 

def set_samp_rate(self, samp_rate): 
self.samp_rate = samp_rate 

self.blocks_head_®. set_length(int (self.samp_rate/8)) 
self.usrp_sink.set_samp_rate(self.samp_rate) 
self.usrp_sink.set_bandwidth(self.samp_rate, ®) 
self.usrp_source.set_samp_rate(self.samp_rate) 
self.usrp_source.set_bandwidth(self.samp_rate, ®) 

def get_constellation(self): 
return self.constellation 

def set_constellation(self, constellation): 
self.constellation = constellation 
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def get_center_freq(self): 
return self.center_freq 

def set_center_freq(self, center_freq): 
self.center_freq = center_freq 

self.usrp_sink.set_center_freq(self.center_freq, 0) 
self.usrp_source.set_center_freq(self.center_freq, 0) 


def main(top_block_cls=gnuradioflow, options^None): 

tb = top_block_cls() 
tb.start() 
tb.waitO 

itr = 10 # Number of automated measurements to take, keep this number 
low in order to avoid burning out the Tx/Rx chains 
samples = range (itr) # The measured distances will be saved here 
corr = range (itr) # This will save the peak correlation value to review 
in post-processing 

thresh = 1500 # This is the threshold the correlation peak must exceed 
in order to be a valid measurement 

for X in range(l, itr+1): 
i = 0 
z = [0] 

while (z[i] < thresh or dist < 0): 
tb = top_block_cls() 
tb.start 0 
tb.waitO 

rx_read_complex_binary = np.fromfile( /Desktop/rxwave’ , 
dtype=np.complex64) 
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tx_read_complex_binary = np.fromfileC /Desktop/txwave’ , 
dtype=np.complex64) 
rx = rx_read_complex_binary.real 
tx = tx_read_complex_binary.real 

z = np.correlate(rx, tx, "full") 
i = np.argmax(abs(z)) 

dist = (i - zerodist) * 299792458/tb.samp_rate #Calculate the 
distance from the max correlation index 

print "trial " + str(x) + ": " + str(dist) + " meters, correlation " 
+ str(i) 

samples[x-1] = dist 
corr[x-l] = abs(z[i]) 

#Optionally plot the correlation peak and the received signal 

pit.plot (absCz)) 

pit.show() 

pit.plot(rx) 

pit.show() 

print "mean: " +str(np.mean(samples)) 
si = open( ’/home/jroth/Desktop/Samples’ , ’wb+’) 
si. write(str(samples)) 
si. closeO 

si = open(’/home/jroth/Desktop/Correlation’ , ’wb+’) 
si. write(str(corr)) 
si. closeO 


if _name_== ’_main_’ : 

main() 
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